ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Token Consumer Optimizer

v2.0.0

智能推荐最经济高效的AI模型组合,实时比价、成本估算及预算规划,优化Token消费方案与使用效果。

0· 43·0 current·0 all-time
by张律师@sealawyer2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
High-level purpose (recommend cheapest/appropriate AI models) matches included files, but there are multiple mismatches: manifest.entry points to optimizer_v2.py while main.py and tests expect a TokenConsumerOptimizer class and helper functions from optimizer.py that are not present in optimizer.py. SKILL.md and README promise '实时价格抓取 (multi-platform real-time fetch)' and an API interface, but provided code uses local JSON price files and hard-coded PRICE tables instead of any real network fetch. The package references external endpoints (http://api.token-master.cn/v2 and token-master.cn) in manifest/README but the code doesn't implement remote calls — inconsistent responsibilities.
!
Instruction Scope
SKILL.md instructs running optimizer.py/optimizer_v2.py and promises real-time price fetching and API access. optimizer_v2.py contains sys.path.insert(0, '/root/.openclaw/workspace/token-ecosys-core') and then imports models and utils from that external path — this attempts to access the agent/system workspace outside the skill bundle. That is scope creep: it expects to load code from an absolute system path and could cause the skill to execute or rely on arbitrary code present in the agent environment. SKILL.md does not disclose this dependency or the potential to access filesystem paths outside the skill directory.
Install Mechanism
There is no registry install spec, but an included install.sh copies optimizer.py and models.json into ~/.local/bin and names the binary token-consumer-optimizer; it also renames models.json to token-models.json. The install script is simple and uses only local files (no remote downloads). However, the installation behavior is not reflected in registry metadata (the skill was declared 'instruction-only'), causing an expectation mismatch. The install script may fail or behave incorrectly because code expects files at relative paths.
Credentials
The package declares no required environment variables or credentials (good), and requirements.txt is empty. However publish.sh mentions a GitHub token (not required to run the tool) and optimizer_v2's sys.path insertion implies the skill may access files in the host workspace (no env var needed). There are no explicit secret exfiltration calls in the visible code, but the absolute-path import could allow the skill to indirectly use host-provided modules that access secrets. Also several files reference external endpoints (token-master.cn) in manifest/README without providing required API keys or showing how authentication would work.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills. The install.sh, if executed, writes binaries to ~/.local/bin and suggests adding that directory to PATH — this is ordinary for a CLI tool. The main notable privilege is optimizer_v2's sys.path insertion pointing into /root/.openclaw/workspace which would let the skill load code from the agent's workspace on import; that grants it broader reach into the runtime environment than a self-contained skill and is a potential escalation of capability if that workspace contains sensitive modules or data.
What to consider before installing
This package looks like a legitimate cost-optimizer in intent but contains inconsistencies and one risky pattern. Before running or installing: - Do not run install.sh or any Python scripts as root. Run in an isolated environment (container or VM) first. - Inspect optimizer_v2.py: it inserts '/root/.openclaw/workspace/token-ecosys-core' into sys.path and imports modules from there. Ask the author why it needs to load code from that absolute workspace path; this could cause it to execute arbitrary local code present on the host. If you don't control that workspace, treat this as a red flag. - Confirm entrypoint and API behavior: manifest.entry is optimizer_v2.py but main.py and tests reference classes/functions that optimizer.py doesn't define. Ask for a clear, single entrypoint and for tests to pass. - If you need the functionality, run the included unit tests in a sandbox to reproduce expected behavior. The tests expect a TokenConsumerOptimizer class (not present in optimizer.py) — request corrected code or a working release. - If you plan to use any network features (real-time pricing/API), ask what endpoints are contacted and what credentials are required; do not provide tokens or credentials until you verify the caller and TLS endpoints. What would change this assessment: a corrected/single coherent entrypoint, removal of absolute sys.path insertion (or clear explanation/justification and a safer mechanism), and code that implements or documents real-time fetching and any required credentials. Until then treat the package as suspicious and run it only in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9700fz7xzxxcfc3p17af66rbn83s322

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments