Security audit

Token Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent token-usage tracker, but its persistent hook logs full session context beyond what token accounting needs.

Review this before installing. Remove or disable the full context log in hooks/token-logger/handler.js before enabling automatic logging, and only enable the hook or Telegram cron reports if you are comfortable with ongoing local usage history and scheduled notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly instructs users to install a hook, copy files into managed hook directories, and persist usage data to local JSON files, but the front matter does not declare corresponding permissions. Undeclared file read/write capability weakens user consent and security review because the skill can access session-derived data and write persistent records without an explicit permission contract.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill promotes automatic session-based token logging and recurring bill/alert pushes, but it does not provide a strong privacy notice, retention policy, or explicit consent flow for ongoing collection and notifications. Because session status may reveal model usage patterns and identifiers over time, silent continuous logging increases privacy and operational risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The hook logs the entire session context with `JSON.stringify(event.context, null, 2)`, which can expose prompts, summaries, metadata, and other potentially sensitive session data to stdout or captured logs. In a token-tracking skill, this is unnecessary for normal operation and increases the risk of inadvertent data disclosure through terminal history, centralized logging, or support artifacts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill persists session identifiers and detailed usage metadata to a local JSON log under the user's home directory without any notice, consent flow, minimization, or retention control. Session IDs can be sensitive correlators because they may link activity across runs or users, and the risk is amplified if the workspace is shared, backed up, or readable by other local processes.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # 方法一：复制 hook 到 managed hooks 目录 mkdir -p ~/.openclaw/hooks/token-logger cp hooks/token-logger/HOOK.md ~/.openclaw/hooks/token-logger/ cp hooks/token-logger/handler.js ~/.openclaw/hooks/token-logger/
Confidence: 88% confidence
Finding: mkdir -p ~/.openclaw/hooks/token-logger cp hooks/token-logger/HOOK.md ~/.openclaw/hooks/token-logger/ cp hooks/token-logger/handler.js ~/.openclaw/hooks/token-logger/ # 方法二：使用 openclaw hooks install（

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal