Back to skill
Skillv1.0.5
VirusTotal security
Token Usage Optimizer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:21 AM
- Hash
- dadf02868ef5ea5dd35918ff926b1cc32b46c55a1ea8362327394fcdae5569fa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: token-usage-optimizer Version: 1.0.5 The skill bundle contains a critical shell injection vulnerability. The `scripts/setup.sh` script takes user input for `ACCESS_TOKEN` and `REFRESH_TOKEN` and writes it directly into the `.tokens` file. Other scripts (`scripts/check-usage.sh`, `scripts/auto-refresh-cron.sh`, `scripts/refresh-token.sh`) then use `source "$TOKEN_FILE"` to load these variables. An attacker could provide a crafted token (e.g., `"; evil_command #"`) during setup, leading to arbitrary code execution (RCE) when any of the sourcing scripts are run. Additionally, `scripts/check-usage.sh` uses `sed` to update the token file, which could also be vulnerable to injection if the token value is maliciously crafted. While the stated purpose is benign, these vulnerabilities allow for malicious exploitation.
- External report
- View on VirusTotal