ClawHub

prompt-token-analyzer

v1.0.1

A Node.js CLI tool that analyzes prompt token usage using a GPT-compatible tokenizer. Helps agents estimate prompt size, debug context overflow, and optimize...

0· 193·1 current·1 all-time
by@putixiaosheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and required binaries (node, npm) match the presented behavior: installing an npm tokenizer and creating a small Node CLI to count tokens. No unrelated credentials or resources are requested.
Instruction Scope
SKILL.md only instructs installing gpt-tokenizer, creating a local CLI script that reads user-supplied files or text and prints token counts/cost estimates. It does not instruct reading other system files, sending data to external endpoints, or harvesting credentials. It does instruct moving the script into /usr/local/bin (requires sudo).
!
Install Mechanism
There is no platform-controlled install spec; the doc tells the user to run npm install -g gpt-tokenizer. Installing arbitrary global npm packages can execute package lifecycle scripts (postinstall) and run code on your machine. The instructions also suggest placing a script into /usr/local/bin with sudo, giving the tool a persistent system-wide location.
Credentials
No environment variables, credentials, or config paths are requested. The requested access (node/npm and ability to write to /usr/local/bin) is proportionate to a CLI tool.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges, but the manual installation puts a persistent executable in the system PATH and requires sudo to move it there. That is expected for a CLI but increases impact if the installed package is malicious.
Assessment
This skill is coherent for a simple prompt-token CLI, but be cautious before running the install steps. Installing an unvetted npm package globally can run code during install; prefer to: (1) inspect the npm package (or its source) before installing, (2) install locally or use npx instead of npm -g, (3) avoid sudo when possible (or install into a user-writable bin directory), or (4) run the tool inside a disposable container/VM. If you do install globally, review the package's postinstall scripts and repository first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974qjr9z1x3dvmek27pdnc3ss82tpvt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧮 Clawdis
Binsnode, npm

Comments