ClawHub

token-slim

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real token-cleanup skill, but it can persistently change future agent behavior and optionally install/download tokenizer components, so it needs user review before installation.

Install only if you are comfortable letting the skill read workspace context files and modify agent configuration. Run scans in dry-run mode first, review the exact config blocks before accepting them, avoid batch mode unless you trust every proposed change, and skip the tiktoken installer in restricted environments unless you accept pip installation and external cache downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill document describes capabilities to read/write workspace files, invoke Python scripts, access environment-dependent paths, and perform network-backed package installation/cache fetches, but it does not declare permissions or present a clear least-privilege model. In an agent runtime, hidden or undeclared capabilities reduce operator visibility and can lead to unintended file modification or outbound network access when the skill is triggered.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is token optimization, but the documented behavior expands into package installation, remote cache retrieval, persistent local state, and scanning of skill files. That mismatch is dangerous because users may invoke a seemingly harmless cleanup skill without realizing it can execute networked install flows and create or modify additional filesystem state.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A workspace-cleanup skill should primarily operate locally, but this one instructs the agent to install packages and fetch external resources from the internet. Introducing outbound network operations increases supply-chain and data-exposure risk, especially in constrained agent environments where users may not expect internet access from a maintenance task.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes package installation from multiple mirrors and remote vocabulary downloads that are not essential to its baseline cleanup role. This broadens the attack surface through dependency compromise, mirror trust issues, and unreviewed external content retrieval, all under the banner of a low-risk optimization utility.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The onboarding flow goes beyond temporary workspace cleanup and requires persistent edits to the workspace agent configuration that change future behavior every session. This is dangerous because a cleanup/optimization skill is using a one-time maintenance action to install long-lived behavioral policy, creating hidden persistence and changing how the agent responds later without clear scope limitation.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Step 3 says backups are optional and only created if the user confirms, while the Undo Mechanism later requires backups before any modification. This inconsistency is dangerous because an operator may follow the weaker instruction and irreversibly modify or delete workspace content, especially when the same document also instructs immediate deletion of files like BOOTSTRAP.md.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The installer reaches out to external package indexes and an OpenAI-hosted blob to download code and model assets, which expands the skill's trust boundary beyond simple workspace token optimization. In an agent/runtime context, this creates supply-chain and unexpected network-exfiltration risk because running the skill causes third-party package installation and remote fetches that are not strictly necessary for safe local analysis.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code performs subprocess-driven pip installation from multiple remote indexes, including mirrors, which materially increases supply-chain exposure. In agent environments, an installer that can mutate the Python environment is more dangerous than the stated token-cleanup purpose suggests, because compromise of an index, mirror, or dependency chain could lead to arbitrary code execution during install.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The scanner can trigger outbound network access when tiktoken initializes and downloads tokenizer data into the cache. In an agent skill meant to scan a local workspace, unexpected network egress can violate offline assumptions, leak metadata such as timing/IP/environment usage, and create nondeterministic behavior in restricted environments.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The help text says --dry-run will not modify files, but startup still preloads tiktoken, creates cache directories, and may fetch tokenizer data over the network before scanning. This breaks the user's safety expectation for preview mode and can cause filesystem changes or network activity in environments where dry-run is relied on for non-invasive inspection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad, natural follow-up phrases such as 'scan again', 'find more savings', and 'what else can I optimize', which can easily appear in ordinary conversation. In an agent runtime that auto-activates skills based on phrase matching, this increases the chance of unintended invocation, causing the agent to read workspace files or initiate cleanup workflows without the user explicitly requesting this skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example phrase 'save tokens' / '帮我省 Token' is short, generic, and likely to overlap with normal user requests about efficiency rather than a deliberate request to activate this specific skill. In environments where skills are selected heuristically, this can trigger the skill unexpectedly and expand the agent's behavior to scanning workspace context files, which may expose or alter project state beyond the user's immediate intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad everyday language such as requests to save or optimize tokens, which can cause accidental invocation in unrelated conversations. In agent systems, unintended activation is dangerous because it can lead to workspace scanning, prompts to modify files, or execution of helper scripts without the user intentionally selecting this skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The re-scan examples are similarly ambiguous and may react to casual follow-up phrases like 'scan again' or 'what else can I optimize' without clear scope. While less severe than initial activation, this can still cause repeated file inspection or pressure the user toward further modifications they did not explicitly request.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill requires inserting a Chinese-only persistent session-discipline block into workspace configuration, which can alter future agent behavior while being unreadable or less reviewable for some users. The danger comes less from the language itself and more from coupling unreadable persistent config changes with mandatory installation, reducing informed consent and increasing the chance of unnoticed behavioral persistence.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The token-habits template forces Chinese-language persistent configuration and confirmations, including a default 'brutal mode' behavior for future sessions. This is dangerous because it combines opaque or less-reviewable text with persistent response-policy changes, making it easier to alter agent behavior without fully informed user approval.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The re-scan mode is triggered by broad natural-language phrases such as 'scan again' or 'what else can I optimize', which can be matched in contexts unrelated to intentional workspace modification. In this skill, that ambiguity matters because the workflow can progress from scanning into file-moving or batch execution, increasing the chance of unintended actions from casual or adversarially planted text.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instruction to record key decisions into memory files each session creates persistent storage of user-provided information by default. This is dangerous because it may retain sensitive decisions, operational context, or private data beyond the current session without granular consent, increasing exposure if the workspace is shared, synced, or later accessed by other tools or agents.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to make workspace-wide persistent behavior changes that apply every session without obtaining clear per-session or per-setting consent. In the context of an optimization skill, this is more dangerous because users may expect temporary cleanup assistance, not installation of lasting operating policy that affects future agent conduct.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal