ai-quota-check

Security checks across malware telemetry and agentic risk

Overview

This quota checker is mostly purpose-aligned, but it reads local auth/session data and silently runs Codex to refresh quota information without clear opt-in.

Review before installing. Use this only if you are comfortable with it reading local OpenClaw/Codex account state, sending stored provider tokens to the relevant quota endpoints, and making a small Codex request during checks. Prefer a version with a local-only default, an explicit refresh flag, narrower triggers, and output redaction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill declares no explicit permissions even though its documented behavior and referenced execution path imply access to environment-derived authentication state and provider session information. Missing permission declarations weaken reviewability and user consent, making it easier for a seemingly simple quota tool to access sensitive auth context without clear disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a quota dashboard, but the analysis indicates it also performs live external `codex exec` requests, refreshes local session state, and inspects login/token status. That mismatch is dangerous because users may invoke it expecting passive read-only reporting while it actually causes network actions and state changes that can consume quota, alter sessions, or expose authentication metadata.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill executes an external `codex exec` command purely to refresh quota data, which creates side effects beyond reading local state. Even though the command is fixed and not directly user-controlled, silently invoking another tool can consume quota, trigger network activity, and execute a binary resolved from the environment PATH, which is unsafe behavior for a quota-checking utility.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes generic terms like "quota" that may appear in ordinary conversation, causing the skill to activate when the user did not explicitly intend to invoke it. In an agent environment, overly broad activation can divert requests, expose provider/account status unnecessarily, or cause the wrong tool to run before more appropriate logic.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger condition is very broad ('use this skill FIRST' for many quota-related phrases), which increases the chance of automatic execution in contexts where the user did not intend provider-wide checks or live backend interaction. Because this skill appears capable of auth inspection and external requests, overbroad routing materially raises the risk of unnecessary data access and unintended side effects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill silently issues a Codex request with no warning or confirmation, which violates the expected behavior of a passive quota viewer. In this context, the hidden request is especially risky because it can itself alter the very quota being inspected and causes undisclosed local command execution and likely network communication.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill reads stored provider credentials and sends them to remote provider endpoints without clearly informing the user in help text or output. Contacting legitimate APIs for quota checks is expected to some extent, but undisclosed token use is still a security and privacy concern because users may believe the tool is only inspecting local state.

Direct Prompt Extraction

High

Category: System Prompt Leakage
Content: Unified quota monitor and intelligent model recommender for all providers. ## Output Instructions **IMPORTANT:** When executing this skill, display the script output **EXACTLY as-is** in markdown format. Do NOT summarize or rephrase the output. The script produces a formatted dashboard that should be shown directly to the user.
Confidence: 95% confidence
Finding: Output Instructions

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal