Back to skill

Security audit

Token Stats

Security checks across malware telemetry and agentic risk

Overview

The skill is a local token-usage viewer, but its maintenance commands can persistently change PATH and recursively delete multiple install or skill directories without a clear confirmation step.

Review the setup/update/uninstall behavior before installing. Use the stats features only if you are comfortable with it reading local assistant usage files, and avoid running setup, update, or --uninstall unless you accept PATH changes and removal of the listed token-stats/agent-usage-stats directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"c.close();print(json.dumps({'rows':rows,'sc':sc},default=str))"
    ) % (linux_path, where, where)
    try:
        r = subprocess.run(
            ["wsl.exe", "-d", distro, "--", "python3", "-c", script],
            stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, timeout=15,
        )
Confidence
93% confidence
Finding
r = subprocess.run( ["wsl.exe", "-d", distro, "--", "python3", "-c", script], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, timeout=15, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"c.close();print(json.dumps({'rows':rows,'sc':sc},default=str))"
    ) % (linux_path, where, where)
    try:
        r = subprocess.run(
            ["wsl.exe", "-d", distro, "--", "python3", "-c", script],
            stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, timeout=15,
        )
Confidence
93% confidence
Finding
r = subprocess.run( ["wsl.exe", "-d", distro, "--", "python3", "-c", script], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, timeout=15, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises itself as a local token-usage viewer, but the documented behavior includes setup, update, and integration flows that imply shell execution, file reads/writes, and possible environment access without any declared permissions or explicit scope statement. This creates a transparency and consent problem: users and hosting platforms cannot accurately judge what the skill may access or modify, which increases the chance of over-privileged execution and unintended local impact.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
There is a substantial mismatch between the stated purpose ('choose an agent and view token consumption') and the broader behaviors identified, including installation, update/uninstall logic, PATH modification, persistent path scanning, exports, and monitoring. This is dangerous because users may invoke a seemingly harmless reporting skill while it performs system changes, subprocess calls, broader filesystem discovery, or persistent data collection beyond what the description suggests.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The regression test explicitly exercises setup, update, and uninstall flows that create wrappers, modify PATH-related shell rc files, and remove installed files. For a skill advertised as a token-usage viewer, validating and therefore normalizing these system-modifying capabilities expands the trusted footprint and increases the risk of persistence or destructive side effects if the underlying install logic is abused or compromised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code verifies behavior that edits shell startup files and manages executable wrappers/forwarders, which are persistence-oriented mechanisms. In the context of a token statistics viewer, these capabilities are not inherent to the stated purpose and make misuse more dangerous because a compromised or overly broad installer could alter command resolution or persist across sessions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code persistently modifies user shell startup files and the Windows user PATH/registry to install a command wrapper. While that can be normal for an installer, it exceeds the stated purpose of a token-usage monitoring skill and creates a persistence mechanism that survives sessions. In skill ecosystems, unexpected persistence is security-relevant because it broadens trust and execution surface beyond simple monitoring.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The uninstall routine recursively deletes not only the primary install directory but also several legacy/source-like locations, including skill paths under home, working directory, and ClawHub directories. Although intended as cleanup, broad recursive deletion increases the risk of unintended data loss if path assumptions are wrong or if users have modified those directories. In the context of a monitoring skill, this is broader destructive capability than expected.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code implements persistent PATH manipulation on Unix shell rc files and the Windows user registry, giving the skill a durable execution foothold. Even if used for convenience, this capability is not justified by a monitoring-only description and can change how future commands resolve on the system. The mismatch between declared purpose and persistent environment modification makes the behavior more suspicious and risky.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The installer copies multiple runtime files, removes existing destination trees, and creates executable wrappers, which is broad filesystem management unrelated to simply viewing token consumption. This increases the blast radius of the skill and introduces overwrite/destructive behavior if installation paths are mistaken or abused by higher-level code. In a monitoring skill, such installation capability is unexpectedly powerful.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The README instructs users to run an uninstall action that removes wrappers, PATH entries, config files, install directories, and possibly skill directories, but does not prominently warn about the scope of deletion. In a tool that modifies shell startup files and PATH, insufficient disclosure can lead users to unintentionally remove configuration or local data, creating integrity and availability risk on the host.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code overwrites and deletes destination content during installation/update without any visible confirmation or warning in this file. Even if another layer may prompt the user, this routine itself assumes destructive authority and can cause silent replacement of files or directories. That is risky when the skill's stated purpose is only to monitor token usage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These routines persistently alter shell configuration files and the Windows user environment without any visible disclosure or interactive acknowledgment in this code path. Such changes affect future sessions and command resolution, so silent modification can surprise users and weaken trust boundaries. In a token-statistics skill, hidden persistence is especially out of scope.

Missing User Warnings

High
Confidence
94% confidence
Finding
The uninstall code recursively removes multiple directories, including legacy/source-related locations, without visible confirmation in this file. Recursive deletion is high impact because mistakes in path selection or stale assumptions can destroy user data and code trees beyond the active install. Given the skill's limited stated purpose, this destructive breadth is disproportionate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.