Token Freedom

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI API comparison and setup skill with affiliate-link guidance, not a system-modifying or credential-stealing package.

Install only if you want API provider comparison, signup help, and QClaw/API-key setup guidance. Expect referral or invite links to appear in recommendations, verify provider terms and pricing yourself, set spending limits, and do not share real API keys in chat, public code, screenshots, or untrusted tools.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation phrases are broad terms like 'API太贵了', '帮我注册API', and 'API比价', which can match many ordinary conversations unrelated to this specific affiliate-oriented workflow. Over-broad triggering can invoke the skill unexpectedly, causing unsolicited recommendations, local file reads, or promotion of referral links in contexts where the user did not intend that behavior.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The Quick Start repeats vague activation guidance such as 'token 用完了' or '想用自己的 API' without defining boundaries for when the skill should not run. In practice, this increases the chance of unintended invocation and can steer unrelated support conversations into affiliate, registration, or configuration flows.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal