Back to skill

Security audit

Token Cost Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a local cost-monitoring skill with optional notification examples that users should configure carefully.

Safe to install as a local cost reference and monitoring guide. Before using Slack, Discord, or email examples, confirm the recipient, treat cost and usage summaries as sensitive operational data, and keep webhook URLs in a secret manager or environment variable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Slack webhook example transmits spending data to a third-party service without any warning about data sharing, retention, or webhook secrecy. Even if the example is simple, cost and usage information can reveal operational patterns, and exposed or mishandled webhooks can also enable unauthorized message posting.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The email reporting example sends cost information externally without warning users that billing or usage metadata is leaving the local environment. Such reports may expose spending habits, account activity patterns, or internal operational details if sent to the wrong recipient or through insecure mail handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.