ClawHub

Token Tracker Pro

Security checks across malware telemetry and agentic risk

Overview

The skill mostly tracks local token usage as advertised, but it includes unsafe command execution and persistent OS shortcut/profile changes that need careful review before installation.

Install only if you trust this publisher and are comfortable running a local Node CLI. Avoid the global token-tracker wrapper with untrusted arguments, do not run shortcut setup unless you accept changes to shell and OS launcher files, and treat exported history or the dashboard as potentially sensitive because it can include session-linked usage metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises functionality that implies environment access and local networking, but the manifest shown does not declare permissions or clearly warn users about those capabilities. Undeclared capabilities reduce transparency and can lead users to install a skill that opens a local server or reads environment/config context without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is token tracking, but the described behavior extends into running an Express dashboard/API, exporting files, configuring shortcuts, and modifying shell or OS integration files. This scope expansion increases attack surface and user risk because filesystem persistence, local HTTP services, and shell/profile changes are materially more sensitive than simple local statistics collection.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The wrapper builds a shell command with string interpolation and runs it via execSync, which invokes a shell. Because raw user-controlled arguments are concatenated with args.join(' '), an attacker can inject shell metacharacters and execute arbitrary commands on the host, far beyond the stated token-tracking purpose. The skill context makes this more dangerous because a simple analytics utility has no clear need for general shell execution, so this capability is both unnecessary and high-risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The CLI exposes `cleanup` and `reset` commands even though the stated skill purpose is token tracking and reporting. In a globally installed CLI, unexpected destructive maintenance operations increase risk because users may invoke them accidentally or via automation, and the code provides no indication of scope or safety checks.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Allowing destructive reset/cleanup operations from a token-tracking tool is a scope mismatch that can lead to data loss if the underlying npm scripts delete stored history or configuration. The danger is heightened because the CLI abstracts these actions behind short commands without surfacing what resources are affected.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The Linux shortcut setup writes persistent files into ~/.config/autostart and appends to ~/.bashrc, which changes user startup behavior outside the stated purpose of token tracking. Even if intended as convenience, modifying persistence and shell configuration without clear consent creates an unnecessary attack surface and can be abused to influence future command execution.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements cross-platform installation of persistent OS-level workflows and hotkey launchers, which is unrelated to a token usage statistics skill. This capability expansion is dangerous because it grants the skill control over recurring local execution paths and user-triggered command launch points that are broader than minimally necessary.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Creating persistent desktop entries under the user's configuration establishes system-level behavior for a tool that should only read and summarize token consumption. Persistence mechanisms are security-sensitive because they survive normal execution and may be leveraged later to execute altered binaries or commands in the user's environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Reading and modifying ~/.bashrc changes the user's shell environment globally by prepending a skill-controlled directory to PATH. That can affect unrelated future terminal sessions and may enable command hijacking if executables in that directory shadow trusted commands, making this far riskier than needed for token statistics.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The export command writes the full token history, including model names, timestamps, and session identifiers, to a user-specified path. That expands the skill from simple tracking/statistics into data extraction and persistence, which can expose potentially sensitive usage metadata if users export to insecure locations or overwrite unintended files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents automatic session recording and persistent storage in `data/token-history.json` but does not warn users that session-related data will be collected and retained locally. In an agent skill context, undisclosed logging can expose usage patterns, prompts, or metadata and increases privacy risk because users may enable hooks without understanding the persistence behavior.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documented cleanup and reset commands can delete historical data, but the skill documentation does not prominently warn about irreversible data loss or describe confirmation safeguards. In a tracking tool, silent or poorly explained destructive operations can cause loss of audit/history information that users may rely on for billing, debugging, or usage analysis.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code forwards all CLI arguments directly into the shell-executed command without sanitization or escaping and without warning users that their input will be interpreted by a shell. This creates a command injection path where crafted input can break argument boundaries or append additional commands, leading to arbitrary code execution. In a token-usage tracking skill, this behavior is especially unjustified and therefore more suspicious.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI directly runs npm scripts for destructive commands through `execSync` with no user-facing warning, preview, or confirmation step. This creates a straightforward path to accidental destructive execution, especially in a global CLI where short aliases and automation may make invocation easy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code modifies the user's shell startup file without any prior warning, preview, or confirmation. Silent persistence-related changes undermine user trust and increase the chance of unsafe environmental side effects, especially in a skill whose declared role does not justify such access.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill automatically reads token-history data from a file in the user's home directory without any visible disclosure or consent flow. Even if the data is application-specific, usage history can reveal model choices, workload patterns, and potentially sensitive metadata, making silent collection a privacy issue.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill writes a report file into the user's home-directory application data without explicit warning, which can create unexpected local artifacts containing usage and cost-analysis information. While this is not code execution or exfiltration, it is a privacy and transparency weakness because users may not expect persistent report generation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The command accepts an arbitrary output filename and writes token history directly to disk without any consent prompt or safety checks. In a CLI handling potentially sensitive usage records, this can lead to accidental disclosure, overwriting of files, or persistence of data in shared or monitored locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook reads SESSION_KEY from the environment and forwards it into tokenTracker.record() at both session start and end, which creates a real risk of storing or propagating credential-like material beyond its original purpose. In a telemetry/tracking skill, persisting a session key is unnecessary unless explicitly justified and protected, and if the downstream tracker writes to disk, logs, or syncs externally, this can expose secrets and enable session hijacking or unauthorized access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persistently writes detailed token usage history, including timestamps, model names, and optional sessionKey values, to a JSON file under the user's home directory without any consent flow, disclosure, retention notice, or file-permission hardening visible in this code. In an agent environment, this creates a privacy risk because local usage patterns and session identifiers can be exposed to other local users, backup systems, or unrelated tools that can read the file.

Session Persistence

Medium
Category
Rogue Agent
Content
const workflowFile = path.join(workflowDir, `token-tracker-${shortcut}.workflow`);

      const workflowContent = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>CFBundleExecutable</key>
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
const workflowFile = path.join(workflowDir, `token-tracker-${shortcut}.workflow`);

      const workflowContent = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>CFBundleExecutable</key>
Confidence
87% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
const workflowContent = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>CFBundleExecutable</key>
  <string>/usr/local/bin/bash</string>
Confidence
89% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
<string>token-tracker ${command}</string>
  </array>
</dict>
</plist>`;

      fs.writeFileSync(workflowFile, workflowContent);
    }
Confidence
89% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal