ClawHub
Back to skill

Security audit

大模型Token成本节约

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent as a token-compression helper, but its optional telemetry and credential persistence need user review before installation.

Install only if you want a tool that may modify your Python environment and wrap local LLM clients. Keep telemetry disabled unless you are comfortable sending token/model/cost metrics to mrkjai.com, do not include prompts or identifiers in metadata, and avoid storing the dashboard API key in shell startup files on shared or sensitive machines. Prefer reviewing or pinning the installer instead of running the remote one-liner directly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
#   Compressed: 1298 tokens (40.0%)
    #   Model: claude-sonnet-4
    #   Time: 2026-06-21T10:23:01
    perf_output = os.popen("headroom perf 2>/dev/null").read()
    if not perf_output.strip():
        return []
Confidence
95% confidence
Finding
perf_output = os.popen("headroom perf 2>/dev/null").read()

Tainted flow: 'INGEST_URL' from os.environ.get (line 43, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json",
    }
    try:
        resp = requests.post(INGEST_URL, json=event, headers=headers, timeout=10)
        resp.raise_for_status()
        return resp.json()
    except requests.exceptions.RequestException as e:
Confidence
95% confidence
Finding
resp = requests.post(INGEST_URL, json=event, headers=headers, timeout=10)

Tainted flow: 'INGEST_URL' from os.environ.get (line 43, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json",
    }
    try:
        resp = requests.post(INGEST_URL, json={"events": events}, headers=headers, timeout=15)
        resp.raise_for_status()
        return resp.json()
    except requests.exceptions.RequestException as e:
Confidence
95% confidence
Finding
resp = requests.post(INGEST_URL, json={"events": events}, headers=headers, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to perform shell execution, file writes, environment-variable modification, and network access, but declares no permissions. This mismatch is dangerous because users and the platform may not realize the skill can install packages, download models, persist API keys, modify shell rc files, and transmit data externally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Executing an external command as a silent fallback means a local dashboard/reporting script can trigger code execution outside the Python process whenever the database is absent or unreadable. In this skill context, that is more concerning because the tool is positioned as a convenience utility and may be run on developer workstations with sensitive credentials, where PATH hijacking or compromised local tooling could turn the fallback into arbitrary command execution.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This script adds automatic external reporting behavior that is not necessary for the core token-compression function described by the skill. In the context of an agent skill, undisclosed or loosely scoped telemetry increases the risk of data leaving the environment unexpectedly, especially because the reported statistics are derived from model usage and may reveal operational patterns.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script prompts for or reads an API key and uses it to send data to a third-party service, even though that capability is not required to perform prompt compression itself. In a skill ecosystem, requesting credentials for ancillary telemetry expands the attack surface and can normalize unnecessary secret collection.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script collects and persists a user API key in ~/.workbuddy/headroom_config.json for a telemetry feature that is ancillary to the skill’s core purpose of token-cost reduction. While local API key storage is not inherently malicious, storing credentials in a plaintext config file without permission hardening or use of the OS keychain increases the risk of credential disclosure to other local users, backup systems, or malware.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The privacy notice tells users that only token counts, model names, and compression statistics are uploaded, but the implementation accepts arbitrary metadata and includes it in the event body sent to the remote endpoint. This creates a direct mismatch between user consent and actual data handling, and could lead to accidental exfiltration of sensitive prompt content, identifiers, or internal context if callers populate metadata unsafely.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad phrases such as '省钱' and 'LLM优化', which can cause the skill to activate in loosely related conversations. Over-broad invocation is risky here because activation can lead to package installation, shell commands, model downloads, and optional external telemetry flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs clients to send an API key plus arbitrary metadata to a third-party endpoint, but it does not present an explicit privacy notice, data-sharing warning, or strong guidance on limiting metadata contents. Because `metadata` is free-form JSON and examples include session identifiers and agent details, implementers may unknowingly transmit sensitive operational or user-linked data off-box.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that CCR stores original, uncompressed content in a local SQLite database for later retrieval, but it does not clearly warn users that sensitive prompts, code, secrets, or internal context may persist on disk. In the context of a prompt-compression tool, this is security-relevant because users may assume compression reduces exposure, while reversible caching can silently create a new data-at-rest risk on developer machines or shared environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs `pip install` directly into the user's environment without an explicit warning, confirmation prompt, or isolation via a virtual environment. This is dangerous because it modifies the local system state, may introduce unreviewed dependencies, and can unexpectedly affect existing Python environments or developer tooling.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 单条上报
curl -s -X POST https://mrkjai.com/api/ingest/headroom \
  -H "X-API-Key: opc_user_你的40位hex" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
curl -s -X POST https://mrkjai.com/api/ingest/headroom \ -H "X-API-Key: opc_user_你的40位hex" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## 六、调用示例

### curl 单条

```bash
curl -X POST https://www.mrkjai.com/api/ingest/headroom \
Confidence
93% confidence
Finding
curl 单条 ```bash curl -X POST https://www.mrkjai.com/api/ingest/headroom \ -H "X-API-Key: opc_user_你的key" \ -H "Content-Type: application/json" \ -d '{ "model": "gpt-4o", "inputTokens":

External Transmission

Medium
Category
Data Exfiltration
Content
"Content-Type": "application/json",
    }
    try:
        resp = requests.post(INGEST_URL, json=event, headers=headers, timeout=10)
        resp.raise_for_status()
        return resp.json()
    except requests.exceptions.RequestException as e:
Confidence
86% confidence
Finding
requests.post(INGEST_URL, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"Content-Type": "application/json",
    }
    try:
        resp = requests.post(INGEST_URL, json={"events": events}, headers=headers, timeout=15)
        resp.raise_for_status()
        return resp.json()
    except requests.exceptions.RequestException as e:
Confidence
86% confidence
Finding
requests.post(INGEST_URL, json=

External Script Fetching

Low
Category
Supply Chain
Content
不想手动配置?一行命令完成安装+验证:

```bash
bash <(curl -sSL https://raw.githubusercontent.com/guipi888/workbuddy-llm-token-compressor/master/scripts/install_and_verify.sh)
```

脚本自动执行:检测 Python 版本 → pip install → headroom doctor → 展示可用后端 + 快速接入命令。
Confidence
98% confidence
Finding
curl -sSL https://raw.githubusercontent.com/guipi888/workbuddy-llm-token-compressor/master/scripts/install_and_verify.sh) ``` 脚本自动执行:检测 Python 版本 → pip install → headroom doctor → 展示可用后端 + 快速接入命令。 *

External Script Fetching

Low
Category
Supply Chain
Content
#!/usr/bin/env bash
# install_and_verify.sh — 大模型 Token 成本节约工具 一键安装验证脚本
# 用法:curl -sSL https://raw.githubusercontent.com/guipi888/workbuddy-llm-token-compressor/master/scripts/install_and_verify.sh | bash
# 或本地执行:bash scripts/install_and_verify.sh

set -e
Confidence
95% confidence
Finding
curl -sSL https://raw.githubusercontent.com/guipi888/workbuddy-llm-token-compressor/master/scripts/install_and_verify.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
#!/usr/bin/env bash
# install_and_verify.sh — 大模型 Token 成本节约工具 一键安装验证脚本
# 用法:curl -sSL https://raw.githubusercontent.com/guipi888/workbuddy-llm-token-compressor/master/scripts/install_and_verify.sh | bash
# 或本地执行:bash scripts/install_and_verify.sh

set -e
Confidence
97% confidence
Finding
| bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal