Back to skill

Security audit

Tokensave Publish

Security checks across malware telemetry and agentic risk

Overview

TokenSave is a disclosed local token-cost analysis skill, with some privacy-relevant local session access and a separately documented networked pipeline mode users should opt into carefully.

Install only if you are comfortable with a tool reading local Hermes session transcripts and cost metadata for analysis. Use explicit commands with a specific session or file when possible, and do not enable the separate OpenAI wrapper/pipeline mode unless you intentionally want API calls routed through tokensave with an API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill presents itself primarily as a local, zero-config token analysis tool, but the documentation also advertises a separate transparent API-wrapping pipeline that can intercept and transform OpenAI calls. That mismatch expands the effective trust boundary and can mislead users or orchestrators into enabling a capability with materially different privacy, integrity, and network behavior than expected.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documented pipeline mode introduces outbound API-proxy behavior that is not necessary for the stated local session-analysis purpose. Even if separated conceptually, bundling network interception with a local diagnostic skill increases the chance of unintended activation, data exposure, or silent modification of API traffic.

Vague Triggers

Medium
Confidence
74% confidence
Finding
Several trigger phrases are broad enough to match ordinary conversation about expense or billing, increasing the risk that the skill runs when the user did not intend to analyze local session artifacts. Because the skill may read sensitive local session data such as ~/.hermes/state.db, accidental invocation can create unnecessary privacy exposure.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
79% confidence
Finding
The trigger phrase 'run tokensave' overlaps with the generic built-in command verb 'run', creating ambiguity about whether the platform should execute a native command or invoke this skill. Such shadowing can cause unintended skill activation or interfere with expected command-routing behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.