Back to skill

Security audit

Tokenizer

Security checks across malware telemetry and agentic risk

Overview

This token optimization skill is not clearly malicious, but it needs Review because it can automatically persist conversation-derived memory and includes configurable local script execution broader than the main description discloses.

Install only if you are comfortable with the skill reading local skill metadata and conversation-history files, running local Python helper scripts, and storing distilled conversation facts on disk. Disable or remove the orchestration and memory-agent files if you only need token counting, require explicit user approval before memory writes or flushes, and avoid remote tokenizer/model downloads in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while explicitly requiring python3 and instructing the agent to read files, write output files, inspect environment-configured paths, and run shell commands. That mismatch can bypass operator expectations and policy enforcement, increasing the chance the skill is invoked with broader access than users or reviewers realize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The stated purpose is token optimization, but the skill also describes persistent memory distillation, episodic storage writes, optional external model/library use, and filesystem/config discovery from multiple locations. This broader behavior is dangerous because a caller may authorize a low-risk 'token audit' skill without realizing it can transform conversation history, write memory artifacts, execute helper tooling, and potentially pull in external dependencies or assets.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The call to AutoTokenizer.from_pretrained(model_id) can fetch tokenizer artifacts from Hugging Face or other configured remotes, introducing unintended network access and dependency on untrusted external content during what is presented as a local token-counting operation. In an agent skill context, this expands the trust boundary, may leak metadata about usage, and can cause nondeterministic behavior or supply-chain exposure if model identifiers are attacker-controlled or remote content changes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file's behavior materially exceeds the manifest's stated token-economy role by autonomously distilling conversation history into long-term episodic memory and signaling memory flushes. This capability mismatch is dangerous because users or orchestrators may grant the skill broader access under the assumption it only analyzes token usage, leading to covert persistence of sensitive conversation data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill performs autonomous long-term memory management, including writing episodic memory files and influencing working-memory flush behavior, which is not justified by a token-optimization utility. In this context, the mismatch makes the capability more dangerous because it can silently persist or reshape user context beyond what the declared purpose suggests.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This skill executes another Python script despite being described as a token-analysis/optimization tool, increasing its effective privilege and behavioral scope. In a skill ecosystem, undisclosed code execution is risky because configuration can redirect which script runs, enabling unexpected processing of sensitive histories or execution of unreviewed local code.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The autonomous memory agent continuously distills and archives based on triggers without an explicit user approval boundary. In a token-optimization skill context, this increases the chance of unintended persistence, transformation, or flushing of conversational data, which can affect confidentiality and integrity of user context if the behavior is triggered unexpectedly.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements a generic script dispatcher driven by configuration, which materially exceeds the declared token-economy purpose of the skill. In an agent environment, broad execution capability hidden behind a benign manifest can be used to run unrelated or unsafe procedures, increasing the risk of privilege expansion and policy bypass.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The runner loads an external configuration file and trusts its tool_registry to select which script to execute. If that config is modified or influenced by another component, the skill can be repurposed to execute arbitrary registered scripts under the guise of token optimization, creating a strong capability-escalation path.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes a general 'motor cortex' dispatcher for executing known procedures, not a focused token-economy analyzer. This mismatch makes the skill more dangerous in context because users and orchestrators may grant it trust based on the manifest while the code exposes a broader operational surface than advertised.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Initializing PromptCompressor with a Hugging Face model name can implicitly download remote model artifacts at runtime. In a skill designed to process prompts and memory content, this creates an unannounced trust boundary crossing where sensitive operational data may be handled in an environment that fetches external dependencies, increasing supply-chain and privacy risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code writes session state to disk without any user-facing disclosure, creating silent persistence of conversational metadata. In an agent-memory context, even turn counts and task-completion state can reveal workflow patterns and contribute to unintended retention when users expect ephemeral processing.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad procedural trigger phrases such as generic compression requests can match ordinary conversation and cause unintended tool invocation. In a skill that manipulates prompt/context content, accidental activation could compress or alter user-provided text without sufficiently clear intent, reducing reliability and potentially causing unwanted data handling.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The reasoning keyword list contains extremely common phrases like 'why' and 'help me think,' which can over-broaden routing and intercept normal conversation. In this skill context, that makes the system more dangerous because benign user questions may be reclassified into token-economy workflows or orchestration behaviors, causing unintended analysis, memory operations, or context modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.