Token Cost Estimator

Security checks across malware telemetry and agentic risk

Overview

This skill locally estimates token costs from OpenClaw session files and does not show hidden network, persistence, or destructive behavior.

Install or use this only if you are comfortable letting the agent run a local script over OpenClaw session transcripts. For a narrower estimate, edit the script to target a specific agent, session directory, or date range before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs analyzing all local OpenClaw session transcripts under ~/.openclaw/agents, which can contain sensitive prompts, outputs, tool data, and usage metadata, but it provides no privacy warning, consent step, or data-minimization guidance. Because it targets all agents and all sessions by default, it increases the chance of over-collection and accidental exposure of unrelated or sensitive conversation data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal