Back to skill

Security audit

Tokenoptimizer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed OpenClaw cost-optimization tool, with local configuration and prompt-template changes that users should review before applying.

Install only if you want a tool that can change OpenClaw cost-related configuration and generate prompt/rule files. Review dry-run output and generated files before applying changes, narrow or disable broad triggers if your environment supports it, and avoid provider reachability checks if outbound network logging is a concern.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises file modification, local stats writing, and provider connectivity behavior, but the manifest shown does not declare any permissions despite requiring file read/write, environment access, and network use. Undeclared capabilities reduce transparency and can cause users or orchestrators to grant trust to a skill without understanding its actual access, increasing the chance of unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented primarily as a cost optimizer, but the described behavior extends to backup restoration, workspace and prompt file generation, stats collection, and network checks to third-party or local providers. This mismatch is dangerous because users may invoke it expecting low-risk tuning while it performs broader persistent changes and external communication, which can alter agent behavior or expose metadata unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to optimize token-cost configuration, but it also creates additional workspace and prompt files under ~/.openclaw. This expands its write scope beyond the expected configuration change surface and can silently influence future agent behavior, which is risky for a skill that users may expect to be narrowly scoped.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The code creates and updates a separate stats file (token-optimizer-stats.json) that is not part of the advertised token optimization configuration changes. Even though the data appears limited, undeclared persistence is a trust and transparency issue and can accumulate metadata about usage over time.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill generates agent prompt and behavior rules that go beyond cost optimization, including instructions about model selection, session loading, memory handling, and workflow behavior. Because prompt content directly steers future agent actions, this is effectively a behavioral modification mechanism, not just a config optimizer, and it can alter security-relevant operations such as context loading and decision routing.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The top-level docstring describes the module as applying token optimization configurations, but the implementation also generates workspace templates and agent prompt content. This mismatch can mislead reviewers and users about the true capabilities and side effects of the skill, reducing informed consent and making risky behavior easier to hide.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The verification command performs unrelated engagement behavior by displaying a donation solicitation and tracking/reporting user 'savings' over time. This is dangerous because a verification routine is expected to be read-only and narrowly scoped; bundling marketing-style prompts and behavioral tracking into it violates user expectations and can normalize hidden side effects in trusted maintenance workflows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The verifier writes persistent state to token-optimizer-stats.json during a routine check, updating timestamps and counters unrelated to core verification. Persistent writes from a diagnostic command are risky because they create undisclosed tracking state, alter the user's environment, and make a supposedly safe audit action have side effects.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and map to common conversational language such as 'save money' and 'reduce costs,' making accidental invocation likely. In this skill's context, unintended activation is riskier because the tool can modify configuration under ~/.openclaw/, generate prompt files, and potentially change provider routing, so a casual budgeting discussion could lead to meaningful system changes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains many broad, everyday cost-related phrases such as 'save money', 'too expensive', and 'reduce costs', which can cause the skill to activate in contexts far beyond intentional token-optimization requests. This increases the chance of unintended invocation, potentially steering user workflows or overriding more appropriate skills when normal budgeting or spending discussions occur.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The generated prompt instructions tell the agent to update persistent memory/session files at the end of each session, but the skill does not present an explicit warning about ongoing persistent data writes. In context, this is more dangerous because the skill is marketed as a token-cost optimizer, so users may not expect it to introduce new persistence behaviors affecting conversation history and user data retention.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The verifier issues HTTP requests to localhost services and to https://api.groq.com to test provider reachability without clear user-facing disclosure. Even though the requests are limited, unexpected network activity from a verification command can leak environmental information, trigger logs on third-party services, and violate assumptions in restricted or privacy-sensitive environments.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The verifier updates a local stats file without clearly informing the user that running verification mutates persistent state. Hidden local-state changes are dangerous in security-sensitive tooling because they reduce auditability, can surprise users who expect read-only validation, and may be used as a foothold for further persistence patterns.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
80% confidence
Finding
The trigger 'save money' overlaps semantically with a built-in 'save' command, creating command shadowing or ambiguous routing. This can cause the wrong action to run or unexpectedly invoke the skill during normal user workflows, which is especially undesirable for a tool that changes persistent configuration and prompt files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.