Prompt Token Counter

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed token-counting and cost-estimation utility; it can read local OpenClaw files and optionally use network inputs, but those behaviors fit its stated purpose.

Install only if you are comfortable with the agent reading OpenClaw workspace and skill files to count tokens. Do not use the URL option with untrusted, localhost, or internal URLs, and do not run the API benchmark on sensitive text unless you trust the configured endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill describes capabilities to read local OpenClaw workspace files, optionally fetch remote URLs, and includes a publish script that updates files, yet it declares no explicit permissions. That mismatch is dangerous because it can lead users or enforcement systems to underestimate the skill's access to sensitive local data and outbound network behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented primarily as an OpenClaw token-audit utility, but its documented behavior also supports arbitrary file processing, remote URL fetching, and references example code that may contact external endpoints when configured. This broader behavior expands the attack surface beyond the declared purpose and can be abused to access sensitive content or trigger unintended network activity under a seemingly narrow, trusted description.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The CLI explicitly supports fetching arbitrary http/https URLs and reading their contents into the token-counting workflow. In a workspace-auditing skill, this expands the trust boundary from local user-provided text/files to network-retrieved content, which can enable unintended outbound network access, SSRF-like access to internal endpoints if run in a privileged environment, and processing of attacker-controlled remote data.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger guidance is broad enough to activate the skill for many generic requests about prompt size, cost, or even when the agent merely 'needs' token counting before or after generation. Over-broad triggering can cause the skill to run unnecessarily, increasing chances of reading sensitive workspace files or prompting users toward optional URL/network features in contexts where the skill was not explicitly requested.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: In API mode, the script sends the full provided text to a remote model endpoint using API_KEY and BASE_URL without any interactive warning, trust check, or explicit confirmation at the call site. Because the sample text and CLI support file input, users may unintentionally transmit sensitive local content to a third-party or misconfigured endpoint, increasing data leakage and SSRF-adjacent risk through arbitrary base URL configuration.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal