ClawHub

toll

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for a token-usage CLI, but users should be aware it reads local AI-session logs and suggests an unpinned remote installer.

Install only if you trust the toll CLI and are comfortable with it reading local Claude Code and Codex CLI session history. Prefer cargo install or a reviewed, pinned release over the curl-to-sh quick install, and avoid sharing JSON or CSV output if it could reveal private projects or usage details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that it reads local Claude Code and Codex CLI session logs, but it does not warn users that these logs may contain sensitive prompts, project paths, model usage history, or other private metadata. This creates a privacy transparency issue because users may invoke the skill without realizing it accesses local session data outside the immediate command input.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Quick install (Linux/macOS)
curl -fsSL https://raw.githubusercontent.com/Fullstop000/toll/refs/heads/master/install.sh | sh

# Or via cargo
cargo install toll
Confidence
96% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/Fullstop000/toll/refs/heads/master/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Quick install (Linux/macOS)
curl -fsSL https://raw.githubusercontent.com/Fullstop000/toll/refs/heads/master/install.sh | sh

# Or via cargo
cargo install toll
Confidence
98% confidence
Finding
| sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal