Token Usage Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill has a real usage-monitoring purpose, but it handles Claude OAuth credentials too broadly and can silently modify local Claude authentication state.

Install only if you are comfortable giving the skill access to Claude OAuth tokens and local Claude credential files. Avoid the cron workflow and browser-token extraction method unless you have reviewed the scripts, and treat .tokens as a password-equivalent file that may need rotation if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises shell, file read, and file write behavior but does not declare permissions, which weakens transparency and informed consent. In this skill’s context, those capabilities are meaningful because it handles OAuth tokens, writes local state files, and suggests cron-based execution, so undeclared capabilities increase the chance of users authorizing sensitive behavior without realizing it.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is quota monitoring, but the documentation also covers collecting refresh/access tokens, syncing credentials, reading/writing Claude credential files, and invoking authentication flows. That mismatch is dangerous because users may install a seemingly harmless reporting tool without expecting credential-handling behavior, and credential workflows substantially raise the sensitivity of the skill.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This file materially expands the skill from benign usage monitoring into instructions for acquiring Claude OAuth access and refresh tokens from local auth files, browser storage, and manual OAuth flows. Even if framed as setup guidance, collecting bearer credentials creates a direct account-compromise risk if mishandled, logged, copied into prompts, or reused outside the intended purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The guide explicitly tells users to read local auth files and browser local storage to obtain OAuth credentials. Those locations contain highly sensitive secrets, and instructing users to extract and copy them normalizes unsafe credential-handling practices and increases the chance of account takeover or token leakage.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script's stated purpose is token health monitoring and refresh alerting, but it also reads refresh tokens from a local .tokens file and silently rewrites ~/.claude/.credentials.json. That expands its authority from monitoring into credential manipulation, which is dangerous because it can alter a user's Claude authentication state without explicit consent or visibility.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Updating ~/.claude/.credentials.json is a privileged authentication operation unrelated to simple quota tracking. In the context of a usage optimizer skill, this capability is unjustified and creates risk of account disruption, credential corruption, or persistence of unintended tokens in the user's local Claude environment.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The header comment says the script only checks token health and alerts if refresh is needed, but the implementation performs an undisclosed side effect: rewriting local credentials. This mismatch is dangerous because it conceals sensitive behavior from reviewers and users, increasing the chance that credential tampering goes unnoticed.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script is presented as lightweight usage monitoring, but it also mutates credential state by triggering a CLI auth flow and rewriting the local .tokens file with a refreshed access token. That behavior exceeds user expectations for passive monitoring and increases risk by persisting sensitive credentials in another location without clear consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script accesses ~/.claude/.credentials.json and deliberately triggers the Claude CLI to refresh credentials, even though quota monitoring only requires a valid token supplied by the user. Pulling tokens from another credential store broadens access to secrets and makes the script more dangerous because it silently leverages privileged local auth state.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The setup script collects Claude Code OAuth access and refresh tokens and persists them locally, which is a sensitive credential-handling behavior not clearly aligned with the skill's stated usage-monitoring purpose. Even if intended for legitimate API access, requesting raw OAuth tokens expands the trust boundary and creates unnecessary credential exposure risk if the file is read, backed up, synced, or mishandled.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script directly collects both access and refresh tokens and writes them to disk in a local file. Refresh tokens are especially sensitive because they can enable long-lived session renewal, so local persistence materially increases the chance of account compromise through local disclosure, shell history mistakes, backups, malware, or accidental sharing of the project directory.

Missing User Warnings

High

Confidence: 96% confidence
Finding: These steps direct the user to authenticate and then locate and extract access and refresh tokens without clearly emphasizing that they are equivalent to account credentials. A user following this guidance may expose long-lived secrets to shell history, screenshots, chat transcripts, or insecure files, enabling unauthorized access.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Telling users to open browser DevTools and copy auth values from local storage is especially risky because browser storage often contains active session material. This encourages exposure of tokens in a highly error-prone environment and can lead to immediate session hijacking if those values are disclosed.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently rewrites the .tokens file with a refreshed access token, creating or updating a secondary credential store without notifying the user. This can leave sensitive tokens in less protected locations, increase their lifetime on disk, and surprise users who expected read-only monitoring behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads a local Claude credential file, extracts an access token, and sends it in a network request, but this behavior is not clearly disclosed in the skill itself. Even if the destination is the expected Anthropic endpoint, undisclosed credential access and transmission is security-sensitive and can violate user expectations and least-privilege principles.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script prompts for sensitive OAuth tokens without warning users about the risks of exposing or storing secrets, and then saves them locally. In the context of a usage-reporting skill, this is more dangerous because users may not expect credential collection at all and may paste highly privileged tokens without understanding the consequences.

Credential Access

High

Category: Privilege Escalation
Content: ### v1.0.5 (2026-02-22) - 🐛 **Bugfix:** Fixed token extraction in `auto-refresh-cron.sh` (removed quotes handling) - ⚡ **Performance:** Reduced cron interval from 1h to 30m for more reliable token refresh - 📝 Improved reliability of OAuth token sync with `~/.claude/.credentials.json` ### v1.0.4 (2026-02-21) - 🔄 Replaced automatic refresh with health check + manual refresh workflow
Confidence: 95% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: OAuth tokens work for ~1 week, then need manual refresh. Set up 30-minute health check for better reliability: ```bash # Add cron job to check token health every 30 minutes openclaw cron add \ --name "claude-token-refresh" \ --every 30m \
Confidence: 86% confidence
Finding: Add cron job to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal