ClawHub

Token Estimator

Security checks across malware telemetry and agentic risk

Overview

This skill estimates token usage locally and has disclosure gaps around dependency downloads and broad triggers, but the artifacts do not show exfiltration, persistence, credential access, or destructive behavior.

Reasonable to install if you want token estimates, but do not treat it as a strict offline guarantee unless dependencies and tokenizer assets are already cached or network access is blocked. Use explicit commands when invoking it, and avoid sending sensitive text through environments where dependency downloads are not controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims the skill performs all processing locally with no external transmission, but the implementation description uses AutoTokenizer.from_pretrained("Qwen/Qwen-7B"), which typically fetches model/tokenizer assets from remote registries unless they are already vendored or cached. This creates a misleading privacy and security posture: operators may approve the skill assuming no network access, while runtime behavior can still contact external services and leak metadata or violate network isolation expectations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, everyday terms such as 'token', 'count', '预估', and '消耗', which can easily appear in unrelated conversations and cause unintended activation. In an agent environment, accidental invocation can expose user content to skill processing, create confusing behavior, and trigger secondary actions like quota lookup or compression suggestions without clear user intent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The documentation promotes very broad natural-language activation ('自然语言,随口一说,系统就懂') without defining clear invocation limits. That increases the chance that ordinary discussion about cost, tokens, usage, or estimation will invoke the skill unexpectedly, which is risky in a context where the skill may inspect text length, estimate usage, or suggest downstream actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal