Back to skill

Security audit

OpenClaw Token Saver

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a token-saving guide, but it includes under-scoped advice to enable powerful agent tools and a proxy idea that could bypass normal service controls.

Review before installing. The local monitor itself appears limited, but do not apply the broad tool configurations unless you intentionally want the agent to have write, exec, web, or all-tool authority. Avoid the proxy-bypass suggestion, and verify any remote installer script before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A token-saving advisory skill recommends enabling powerful 'write' and 'exec' tools even though those capabilities are not necessary for giving optimization advice. Expanding tool permissions beyond least privilege increases the blast radius if the skill is invoked in the wrong context or paired with prompt injection, potentially allowing filesystem changes or command execution unrelated to token optimization.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The local deployment and especially the 'proxy forwarding' guidance goes beyond cost optimization into access circumvention, explicitly suggesting routing through a web AI path to avoid official token consumption. In this skill context, that is more dangerous because it normalizes bypassing provider controls, billing, or approved infrastructure, which can lead to policy violations, unauthorized access patterns, or unsafe third-party handling of prompts and data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly recommends enabling write and exec-capable tools as a token-saving optimization, but it provides no warning that these capabilities can modify files or execute system commands. In an agent skill context, normalizing these permissions increases the blast radius of prompt injection, user mistakes, or malicious downstream content.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill describes background and automatic monitoring of token usage without explaining what data is observed, stored, or transmitted. While token monitoring is not inherently dangerous, omission of privacy and data-handling guidance can mislead users about whether conversation metadata or content may be processed continuously.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation instructions include a remote shell bootstrap pattern without any safety warning or verification guidance. Encouraging users to execute network-fetched installer code directly can lead to arbitrary code execution if the source is compromised, intercepted, or replaced.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.