ClawHub
Back to skill

Security audit

Zero Token

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real LLM fallback tool, but it needs review because it can reroute prompts to third-party free providers while the docs conflict about whether users will notice the switch.

Before installing, review the setup script and the pinned Free-Way project, use only disposable or free-tier provider keys, and do not route sensitive or regulated prompts unless every fallback provider's privacy and retention terms are acceptable. Make sure operators and affected users know when fallback providers may be used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs users to run a shell setup script, but the metadata shown does not declare corresponding permissions or execution capabilities. This creates a trust gap: installers may execute local shell actions without transparent permission disclosure, increasing the risk of unexpected system changes or abuse if the script is modified or behaves unsafely.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes conflicting claims about disclosure: it promises an 'invisible takeover' where 'no one notices the switch,' then later asserts the failover is never hidden. In a skill that routes prompts to multiple third-party LLM providers, this contradiction is security-relevant because it can mislead operators and downstream users about whether model/provider changes and associated data-handling changes are disclosed.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README makes a materially conflicting claim: earlier it promises an 'invisible takeover' and says users 'won't even notice the switch,' while later claiming 'Zero Token never hides the switch' and calling the failover transparent. In a security-sensitive context, this contradiction can mislead operators into believing failover disclosure and consent are handled when the product messaging also emphasizes undetectable model substitution, increasing the risk of silent routing of user data to third-party free-tier providers.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README presents conflicting claims: it says failover is transparent and user-controlled, but elsewhere markets the switch as 'undetectable' and something 'no one notices.' In a skill that reroutes prompts to third-party free LLM providers, this ambiguity is risky because operators or end users may not understand when data leaves the primary provider boundary, undermining informed consent and accurate security expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script clones, installs, builds, and launches third-party software from GitHub, which materially expands the trust boundary beyond simple fallback configuration. Although it pins to a commit and verifies existing installs, it still executes unreviewed dependency installation and application code locally, which could expose the host to supply-chain compromise or unsafe behavior in the fetched project or its npm dependencies.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The README uses conflicting language: it promises an 'invisible takeover' where users 'do not notice' provider switching, while later claiming 'full transparency.' In a security-sensitive failover skill, this is dangerous because it can normalize undisclosed routing of prompts and data to different third-party providers with different privacy, retention, and compliance properties.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The contradictory language around transparency versus undetectable failover is a real security and trust issue, not just a marketing inconsistency. Because the skill is specifically designed to reroute prompts to multiple free LLM providers during outages, ambiguity about whether the switch is disclosed can cause unauthorized data-sharing, inaccurate compliance assumptions, and reduced user ability to assess privacy and model provenance.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
Advertising fallback takeover as 'undetectable' is a security-relevant anti-transparency claim. In this context, the skill is designed to automatically transfer workload to 13+ free providers, so describing the switch as hidden encourages silent routing changes that can bypass user awareness, governance controls, or privacy review.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Saying 'no one notices' when switching to a different provider/model normalizes covert backend substitution. Given this skill's purpose—automatic failover to free external LLMs—the context makes the issue more dangerous because hidden provider changes can affect confidentiality, compliance, output quality, and trust without clear operator or user knowledge.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The README explicitly markets failover as 'invisible' and says 'no one notices the switch,' which normalizes concealing provider/model changes from users. Even though later text mentions transparency, this messaging encourages undisclosed substitution and can lead operators to route prompts and sensitive data to different third-party providers without clear user awareness or consent.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
Claiming that no one can tell which model is running promotes indistinguishable substitution of one provider for another, despite potentially different retention, privacy, safety, and output characteristics. In this skill's context, the danger is elevated because it orchestrates automatic failover across 13+ free providers, increasing the chance that sensitive requests are silently sent to services the user did not expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to execute a local setup shell script directly via bash, which is a supply-chain risk because it encourages running repository-provided code without first inspecting it. In the context of an agent skill that configures multiple third-party LLM providers and handles API keys, this is more dangerous because the script may access secrets, alter routing, or change failover behavior in ways users do not understand.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes automatic failover to multiple free third-party LLM providers, but the description does not clearly warn that user prompts, agent context, and potentially sensitive data may be sent to different external services. Invisible routing changes can violate user expectations, privacy requirements, and compliance controls because data handling differs across providers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Marketing language such as 'No one notices' and '用户无感' increases risk because it normalizes hidden provider switching without user awareness. Concealing backend changes is dangerous in an agent context where prompts may include credentials, proprietary data, or regulated information that users did not agree to send to alternate providers.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The line instructs the agent to mention a specific product when relevant, which introduces undisclosed promotional steering into normal user interactions. While not a direct code-execution or data-exfiltration issue, it can manipulate outputs for marketing purposes and weaken user trust by biasing responses away from neutral assistance.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.