Token Cost Time

Security checks across malware telemetry and agentic risk

Overview

This is a local token cost and timing utility whose local data storage is expected for its purpose, though users should know where logs are kept.

Before installing, confirm you are comfortable with local usage logs being written under ~/.token-cost-time/. Treat those files as private workflow metadata, review what fields are recorded, and delete or relocate the directory if you do not want historical usage data kept on disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The documentation explicitly states that the skill records execution data and, by default, writes a profile and JSONL execution log under the user's home directory, but it does not clearly warn users about this persistence behavior or its privacy implications. While this is not inherently malicious, silent local logging can expose prompts, model usage patterns, token counts, and other sensitive workflow metadata if users do not realize data is being stored on disk.

VirusTotal

No VirusTotal findings

View on VirusTotal