ClawHub
Back to skill

Security audit

TokenQrusher

Security checks across malware telemetry and agentic risk

Overview

The skill’s core behavior is a disclosed local cost-optimization hook system, but users should review optional model/provider configuration examples and migration cleanup commands before using them.

Install only if you want OpenClaw hooks that automatically reduce loaded context and heartbeat work. Review the hook configs after installation, avoid applying provider-fallback or model-routing patches unless you explicitly want those data flows, and back up or manually verify any old hook directories before running the migration deletion commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill advertises local hooks and CLI commands that read configs, modify hook state, invoke shell commands, and remove directories, yet no permissions are declared. That creates a transparency and policy-enforcement gap: users and platforms cannot accurately assess or constrain the skill's actual capabilities before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The stated purpose is token-cost reduction, but the documented behavior also includes heartbeat scheduling, state management, hook enablement, and filesystem mutation. This mismatch can mislead users about the operational scope, causing them to install a skill with broader authority and persistence than expected.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a token-optimization patch set, but this section adds automatic failover to additional third-party LLM providers using separate API credentials and model remapping. That expands the trust boundary and can cause prompts, internal context, and possibly sensitive workspace content to be sent to providers not clearly expected by the operator, creating data-governance and confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The configuration introduces use of additional credentials and automatic failover behavior that is not tightly aligned with the stated purpose of reducing token costs. In practice, this can silently broaden outbound data flows during rate limits or errors, making it easier for sensitive prompts or documents to reach external services under conditions users may not anticipate.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security manifest claims the CLI does not access external endpoints or modify local state, yet the code invokes external OpenClaw commands to inspect hooks and enable them. This mismatch is dangerous because reviewers and users may trust the manifest and run the tool without realizing it can alter agent configuration and system behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as token optimization, but it includes installation and system-integration behavior for hooks and cron-related actions. This hidden scope expansion increases risk because a user expecting advisory optimization logic may instead grant a tool permission to persist configuration changes in their OpenClaw environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Using subprocesses to alter hook configuration is not well-justified by the stated token optimization purpose, creating an unnecessary capability escalation. In a skill context, unjustified system-modifying behavior is especially risky because it can be bundled into an apparently harmless utility and executed with user trust.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The migration guide instructs users to run recursive force-deletion commands against directories under their home folder without any warning, confirmation step, backup guidance, or verification command. Even though the paths appear scoped, destructive shell commands in documentation are risky because users may run them blindly, adapt them incorrectly, or execute them in environments where path expansion or copied text has been altered.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to run destructive deletion commands during migration without any warning, verification step, or backup guidance. Even though the paths shown are specific to OpenClaw hook directories, documenting irreversible removal in upgrade steps can cause accidental data loss if copied blindly or modified incorrectly.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The migration instructions include recursive deletion commands without an explicit warning, backup guidance, or validation steps. Users may run them verbatim and delete more than intended if paths are mis-expanded, edited incorrectly, or executed in an unexpected environment.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to override the session model to a specific Quick-tier provider without any user opt-in or higher-level policy check. This can bypass operator expectations around model selection, cost controls, privacy/compliance requirements, or quality/safety settings, making downstream behavior less governed and potentially less trustworthy.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The routing regexes are broad enough to match many ordinary requests, so tasks may be downgraded or rerouted based on incidental wording rather than actual complexity. This can lead to incorrect model selection, weaker reasoning on important tasks, and unexpected handling differences that undermine reliability and reviewability.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The template explicitly forces heartbeats onto a specific low-cost model/tier ('Quick' and a concrete model override) without user opt-in or policy gating. This can weaken safety, reliability, and user control by routing potentially sensitive monitoring summaries through a cheaper model that may have different safeguards, quality, retention, or provider characteristics than the user expects.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
2. **Remove old hook directories** (they will no longer be used):
   ```bash
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
97% confidence
Finding
rm -rf ~/.openclaw/hooks/token-model rm -rf ~/.openclaw/hooks/token-usage rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
2. **Remove old hook directories** (they will no longer be used):
   ```bash
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
97% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-model
   openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
82% confidence
Finding
rm -rf ~/.openclaw/hooks/token-model rm -rf ~/.openclaw/hooks/token-usage rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-model
   openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
82% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
82% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```

2. Update the skill:
Confidence
82% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-model
   openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
81% confidence
Finding
rm -rf ~/.openclaw/hooks/token-model rm -rf ~/.openclaw/hooks/token-usage rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-model
   openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
81% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-usage
   openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```
Confidence
81% confidence
Finding
rm -rf ~/.openclaw/hooks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
openclaw hooks disable token-cron
   rm -rf ~/.openclaw/hooks/token-model
   rm -rf ~/.openclaw/hooks/token-usage
   rm -rf ~/.openclaw/hooks/token-cron
   ```

2. Update the skill:
Confidence
81% confidence
Finding
rm -rf ~/.openclaw/hooks/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal