ClawHub

Oktk

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful token-saving command wrapper, but it can run or re-run arbitrary shell commands and stores local command-derived data, so it needs careful review before use.

Install only if you want a shell command wrapper, not just a passive output filter. Avoid persistent aliases and the universal ok wrapper until the command re-execution behavior is fixed; do not use it with mutating or sensitive commands, and clear or disable ~/.oktk cache/analytics if command names, paths, URLs, logs, or filtered outputs may be sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises shell-based interception, wrappers, and command processing, yet the manifest declares no permissions despite requiring shell and environment access. That mismatch weakens user consent and security review because operators may install or trust the skill without realizing it can execute commands and inspect environment-dependent data flows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a substantive behavior mismatch, not just a documentation issue: the skill appears to do more than compress piped output, including arbitrary command execution, persistent logging/caching, and broad shell wrappers. That expanded behavior increases the attack surface and can expose sensitive command output, secrets, repository contents, or operational metadata in ways users would not reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The implementation summary documents capabilities beyond the advertised scope of compressing git/docker/kubectl-style CLI output, including network, file, and search command handling. Scope expansion like this increases attack surface and user surprise, because a skill expected to summarize command output may end up processing broader categories of sensitive data than users reasonably anticipate.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file describes analytics, command logging, persistent cache storage, and memory/config integration that go materially beyond simple token optimization. These features can retain command contents and metadata, creating privacy and data-retention risks if sensitive terminal output, paths, URLs, secrets, or internal project details are logged or cached.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Documented command logging and auditable filter-operation logging are not obviously required to compress output, and they can capture sensitive operational details from shell activity. In a skill that may process repository state, test output, network responses, and search results, such logs can expose credentials, internal filenames, URLs, or proprietary data if stored insecurely or accessed by other components.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The stated integrations with memory systems, cron jobs, and sub-agent-specific configurations extend the skill from a local output filter into a more persistent and automated subsystem. That increases the chance of unintended background processing, broader data propagation between agents, and retention of sensitive command-derived information beyond the immediate user interaction.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module persistently logs command strings, cache keys, filter names, and token-usage metadata to files under the user's home directory. Even with partial sanitization, command lines often contain sensitive arguments, repository paths, hostnames, and operational context, so storing this data exceeds the core compression function and creates a privacy and local data-exposure risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Keeping the last 100 commands in stats storage creates a durable behavioral history that is not necessary for basic savings reporting. This increases exposure of potentially sensitive operational context and can reveal internal tooling, targets, secrets missed by regex redaction, or user activity to other local processes or users with file access.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The universal `ok()` wrapper allows any command's stdout/stderr to be piped into `oktk`, not just the advertised git/docker/kubectl outputs. In the context of a tool meant to prepare terminal output for LLM use, this materially expands the data-exposure surface to arbitrary local command output, including secrets, environment details, process listings, service states, and internal network information.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
These aliases extend beyond the stated purpose of optimizing git/docker/kubectl output and include general system-inspection commands such as `ps`, `ls`, `df`, `du`, and `netstat`. Those commands can reveal sensitive host metadata, usernames, file layouts, running processes, and listening services, increasing the chance that unrelated system information is funneled into the tool and subsequently exposed to downstream AI processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes persistent caching and command logging without corresponding privacy, retention, or security warnings. Users may reasonably assume a token-optimization utility is ephemeral, but cached outputs and logs can preserve sensitive CLI data, creating confidentiality and compliance risks if not disclosed and controlled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes compressing command output before it is sent to an LLM, including outputs from commands like curl, git, and grep that often contain secrets, internal URLs, tokens, credentials, headers, source code, or other sensitive operational data. Although it claims to auto-redact secrets, the documentation does not clearly warn users about the risk of external transmission or define strong boundaries for what must never be sent, so users may overtrust the tool and leak sensitive information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly optimizes data before it is sent to external LLMs, but the description omits a clear warning that CLI output may contain secrets, internal URLs, tokens, stack traces, or customer data. In this context, omission is dangerous because users may route sensitive shell output through the tool under the false impression it is a purely local formatter.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatic filtering and shell-level interception make the privacy risk greater because they encourage habitual use across many commands, including ones that may reveal credentials, infrastructure details, or private source code. The convenience framing reduces friction while lacking a matching warning about what data is captured, transformed, cached, and potentially sent onward.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code writes analytics and command-derived data to local files automatically when tracking is enabled, but this file contains no user-facing notice, consent flow, or prominent warning. In a CLI tool that processes shell command output, silent persistence is risky because users may not expect their command history and usage patterns to be recorded on disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Nearly all wrappers and aliases automatically pipe command output into `oktk` without any inline warning, consent flow, or data-classification guard. Since git diffs, docker logs, kubectl output, npm output, and system commands frequently contain credentials, tokens, proprietary code, internal URLs, or personal data, silently routing this content into an LLM-oriented optimizer creates a significant disclosure risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool executes arbitrary shell commands via execSync without any warning, confirmation, or trust boundary, which increases the chance that users or upstream agents invoke dangerous commands believing this is only an output-compression utility. In an agent-skill context, that mismatch is more dangerous because other automation may pass commands through this wrapper without recognizing it has full command-execution capability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The AI learning feature can be enabled by environment variable, yet the CLI does not present an upfront warning that command output may be sent to an external model. Because this tool processes potentially sensitive CLI output such as git state, test logs, docker, kubectl, and search results, silent external transmission could expose credentials, source code, infrastructure details, or internal metadata.

Session Persistence

Medium
Category
Rogue Agent
Content
Source the aliases file for automatic filtering:

```bash
# Add to ~/.zshrc or ~/.bashrc
source ~/.openclaw/workspace/skills/oktk/scripts/oktk-aliases.sh
```
Confidence
80% confidence
Finding
Add to ~/.zshrc

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal