token-use-optimizer

This skill appears coherent: it bundles a Python auditor and documentation that match its stated goal of auditing Rules/Memory/Knowledge token costs. Before installing or running: - Inspect SKILL.md and scripts/token_audit.py yourself (or have a developer do so). The included script reads files under the target project and prints a report — it does not perform network calls in the provided code, but executing arbitrary scripts can be risky. - Run the script on a copy of your project, not on a production workspace containing secrets. The tool will read repository files (including MEMORY.md) and may output their contents or character counts. - Pay attention to the pre-scan 'system-prompt-override' flag: search SKILL.md for any lines that try to change system prompts or inject agent/system-level instructions. If you find such lines, do not run the skill until they are removed or explained. - Execute the script in a restricted environment (non-root user, ephemeral container) the first time to confirm behavior. - If you rely on enterprise security policy, have your security/dev team review the Python file for any unexpected file writes or subprocess/network usage (the provided code appears to use only local file reads and standard libs). If you want higher confidence, provide the exact SKILL.md frontmatter and the full, untruncated portion of scripts/token_audit.py print/report output for a quick line-by-line check.

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.