Token Manager

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its token-management purpose, but it needs review because it can accept API keys on the command line while claiming keys are only read from environment variables.

Review before installing. Prefer environment variables for API keys, do not pass secrets as command arguments, avoid sending sensitive prompt text through provider token-estimation APIs, and remove any cron job when you no longer want recurring balance checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The security notice is materially misleading: the code does make outbound requests to third-party provider APIs in both `queryBalance` and `estimateTokens`, and `estimateTokens` may transmit user-supplied text/messages to a remote service. Misrepresenting data handling can cause users to expose sensitive prompts or credentials under false assumptions about locality and no third-party sharing.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The invocation guidance is very broad ('monitor usage', 'generate reports', 'track usage across multiple sessions'), which can cause the skill to be selected in generic monitoring contexts without the user fully intending persistent tracking or balance querying. In an agent ecosystem, overbroad activation increases the chance that sensitive operational data is processed or stored unnecessarily.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The scheduled monitoring section describes cron-based recurring checks and alerting, but it does not present a prominent warning that this feature persists local state and performs repeated API interactions over time. Users may enable it without understanding that monitoring continues after the initial setup, creating privacy, billing, and surprise-execution risks.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Accepting API keys as positional CLI arguments exposes secrets through shell history, process listings, audit logs, and potentially terminal scrollback. In a token-management tool that directly handles provider credentials, this significantly increases the chance of credential leakage and unauthorized API usage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal