Where Am I Burning Tokens?

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a read-only token-usage helper whose main risk is accidental activation from broad example prompts.

Install only if you are comfortable with the agent summarizing your local token usage and cost history. Use explicit prompts when invoking it, and review outputs before sharing them because usage and spend details may reveal private workflow information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README suggests invocation via broad natural-language phrases like "where am I burning tokens?" and "token breakdown this week," which can cause the skill to trigger unintentionally during normal conversation. While the described capability is read-only and narrowly scoped, unintended invocation can still expose local usage and cost data when the user did not mean to run the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal