ClawHub

Token Alert

Security checks across malware telemetry and agentic risk

Overview

This token-monitoring skill mostly matches its purpose, but its dashboard and local proxy can use an exposed gateway token to list, export, and modify chat sessions without strong scoping or confirmation.

Review before installing. The basic CLI token checker is low risk, but do not run the dashboard proxy, enable auto-export/auto-summary, configure provider API keys, or set up background notifications unless you understand that the dashboard can access session metadata, export conversation history, send summary commands into a session, and store settings/history locally. Keep the proxy bound to localhost, avoid opening untrusted sites while it is running, rotate any real gateway token exposed here, and confirm how to disable scheduled checks and delete exported or summarized session data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This dashboard goes beyond passive token monitoring by triggering summary generation and exporting conversation data, which materially expands its authority and data access. In a client-side UI, these actions can expose sensitive session contents or cause unintended data persistence without a clear trust boundary or explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The UI can enumerate active sessions and retrieve full session histories, which is broader than necessary for a token-alert dashboard and exposes potentially sensitive conversation metadata and contents. If the page is accessed by an unintended user or compromised script, this creates a direct path to data disclosure across sessions.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
Although session switching is not implemented, the handler surfaces full session keys in visible notifications. Session identifiers may reveal internal structure or naming conventions and can leak sensitive operational metadata to shoulder surfers, screen captures, or other local observers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This dashboard is presented as a token-alert/usage UI but also includes active capabilities to send session commands and export session contents. That materially expands the skill's authority from passive display into control and data exfiltration, which is dangerous because a user may grant or trust it under a narrower expectation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code enumerates active sessions across channels and can open new chat sessions, giving the dashboard operational and surveillance capabilities beyond simple alerting. In context, this increases the sensitivity of the component because it exposes metadata about conversations and enables session lifecycle actions.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
Although session switching is marked as TODO, the function still reveals the target session key in a visible notification. Session identifiers can be sensitive internal references and disclosing them in the UI may leak implementation details or aid further unauthorized access attempts.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file presents itself as a token-monitoring dashboard, but the implementation also performs authenticated backend operations, session enumeration, and write-capable actions. This mismatch increases the chance that users or reviewers will grant trust to a UI that does more than its apparent purpose, which is a security-relevant transparency and scope issue.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A monitoring dashboard should not silently include session-control, summarization, and export features that can act on conversation data. These capabilities materially expand the privilege and data-handling surface, enabling unintended disclosure or modification of sensitive session content if the page is loaded by an authorized user.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The dashboard enumerates sessions across multiple channels such as Telegram, WhatsApp, Slack, and others, which exceeds what is needed for simple token alerting. Broad visibility into unrelated sessions increases exposure of metadata and can aid lateral discovery of sensitive conversations or operational details.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This dashboard is not read-only: the Summary action sends an authenticated `sessions_send` command that can modify live session state and instruct the backend to write data into `memory/`. That expands the trust boundary from passive monitoring to privileged control, creating risk of unintended state changes, prompt injection propagation, or abuse if the page is opened by an unauthorized user.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The Export action retrieves full session history and writes it to a downloadable markdown file, which can include sensitive prompts, secrets, personal data, or internal operational content. A token-usage dashboard context makes this more dangerous because users may reasonably expect telemetry only, not bulk content extraction.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code embeds a gateway bearer token in client-side JavaScript and also exposes/persists token configuration in browser storage and UI. Any user with page access, browser extensions, XSS, shared-device access, or devtools access can recover and reuse that credential for authenticated backend actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The page embeds a live bearer token directly in client-side JavaScript and uses it to invoke privileged backend tools. Any user who can load or inspect the page can recover the token and use it to query session data or invoke backend capabilities outside the intended UI, turning the dashboard into a credential disclosure point.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A monitoring dashboard should not silently expand into an action surface that can send commands creating summaries and writing into memory storage. This increases the blast radius from read-only telemetry to state-changing operations, and if the page or token is abused an attacker can cause unauthorized writes or manipulate stored workflow state.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The dashboard can export full session conversation history into a downloadable markdown file, which is far more sensitive than token-usage statistics. If misused, this exposes potentially confidential prompts, responses, secrets, and user data, especially because the same exposed bearer token is used to retrieve message history.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file presents itself as a simple CORS proxy, but it also silently injects a hardcoded bearer token into every proxied request. This mismatch hides a privileged authentication behavior from users and reviewers, making it easier for untrusted local web content or operators to abuse the proxy to perform authenticated actions against the gateway.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The handler sets Access-Control-Allow-Origin to '*' and allows POST requests, creating an open cross-origin bridge to a privileged local service. Even though the server binds to localhost, any website opened in the user's browser could send requests to this proxy and leverage the injected gateway token to access protected backend functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The report describes an automatic export and follow-up summary trigger at 90% usage, including delayed execution, without indicating any explicit user consent, confirmation, opt-in setting, or warning about automatic data-affecting behavior. In a dashboard that may handle conversation memory or token-related session data, silent auto-export and summarization can cause unintended persistence, disclosure, or modification of user data and create privacy and integrity risks.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The feature description states that notification permission is requested on page load, but does not mention any just-in-time rationale, user-impact warning, or user-initiated trigger. Prompting for browser notifications immediately on load is privacy-hostile and can condition users into granting sensitive permissions without context, which is especially risky in a monitoring dashboard that may generate frequent alerts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start instructs users to run a setup script that installs software and enables recurring token checks/notifications, but it does not clearly warn that this creates a persistent background mechanism and may require additional trust review. In an agent-skill ecosystem, encouraging users to execute shell scripts and install a LaunchAgent-style notification flow without explicit consent language increases the risk of unwanted persistence or execution beyond the immediate session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automatic session backup and auto-summary at high-usage thresholds but does not explain what data is stored, where it is written, or the privacy implications of persisting conversation content. If users enable or rely on this behavior without understanding the data flow, sensitive prompts, outputs, or secrets from sessions could be written to disk unexpectedly and later exposed to other local users, backups, or sync services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented export capability implies conversation or session data may be written to disk, but the README provides no warning about the sensitivity of exported content. In a tool designed to monitor active AI sessions, exported data may contain prompts, model responses, and operational details that users would not expect to persist outside the live session.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "Open dashboard" is generic and could collide with unrelated user requests, causing the skill to activate outside the intended token-monitoring context. In an agent environment, ambiguous activation increases the chance of unintended script execution or UI opening, which is a real safety issue even if the skill appears non-malicious.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description says alerts happen automatically but does not clearly define the triggering mechanism, timing, or safeguards. This ambiguity can lead to unexpected autonomous behavior, especially if the host agent interprets the text as permission to run checks or send alerts without explicit user action.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises Telegram alerts but does not clearly warn that token-usage information may be sent to a third-party messaging platform. Even if the data is limited, transmitting session metadata externally without prominent disclosure can create privacy and operational security risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal