Token消耗监控优化

Security checks across malware telemetry and agentic risk

Overview

This is a simple token-usage helper that discloses it reads local QClaw/OpenClaw session logs, with no bundled executable code or hidden network behavior found.

Install only if you are comfortable with a helper that may inspect local QClaw/OpenClaw session logs, which can contain prompts, responses, or other sensitive text. Prefer explicit token-monitoring prompts, and inspect the referenced local token_stats.py script before running it because this version does not include that script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad enough to activate on ordinary discussion of token usage, costs, or optimization, which can cause the skill to run unexpectedly and access or summarize local session log data when the user did not clearly intend that action. In a skill that reads usage logs and generates reports, overbroad activation increases the chance of unintended data exposure or confusing workflow hijacking, even if there is no obvious malicious payload.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal