Token Usage Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local token-usage utility with manual setup, local logs, and no evidence of hidden network access or automatic service installation.

Before installing, choose the log folder deliberately and treat token logs as potentially sensitive usage metadata. Review scripts before wiring them into a message pipeline, do not rely on the summarizer or interceptor as a secret-redaction layer, and only enable the systemd example if you intentionally want a background service with a least-privileged local user and corrected path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The README defines a natural-language trigger phrase, "Say 'package' to proceed," that is overly generic and can be invoked accidentally during normal conversation. In an agent setting, broad triggers increase the chance of unintended workflow escalation, such as packaging or test actions being initiated without explicit, structured user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal