ClawHub

Token Tamer — AI API Cost Control

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Token Tamer appears to be a local, user-directed cost-tracking tool with no evidence of hidden network access or exfiltration, but users should verify the source and protect the local usage log.

Before installing, verify that you trust this package source, ensure Python is available, choose a private local path for token_usage.json, and avoid putting secrets, prompts, customer data, or personal identifiers into the logged metadata fields.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

You may run local code without a linked upstream source or homepage, so you should review the included files and know that Python is required.

Why it was flagged

The skill includes runnable Python files but has minimal provenance and no declared runtime/install requirements in the registry metadata.

Skill content
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill; Code file presence: 4 code file(s)
Recommendation

Install only from a trusted registry entry, review the included Python scripts, and run the reviewed version from a controlled directory.

#ASI06: Memory and Context Poisoning
Low
What this means

The local usage file can reveal API usage patterns, costs, project/task names, session identifiers, or any sensitive metadata you choose to log.

Why it was flagged

Usage records, including task/session labels and arbitrary metadata, are persisted to a local JSON file.

Skill content
'provider': self.provider, 'model': self.model, ... 'task': self.task, 'session': self.session, 'metadata': self.metadata ... json.dump(data, f, indent=2)
Recommendation

Set USAGE_FILE to a private path, restrict file permissions, avoid logging secrets or prompt content in task/session/metadata fields, and configure retention/backups appropriately.