Oathe Security Badge

Is jzOcb/token-guard safe?

https://github.com/jzOcb/token-guard

84
SAFE

Token Guard is a legitimate budget monitoring tool that tracks AI token usage and costs. While it accesses user configuration files and can modify system settings, these capabilities align with its stated purpose of preventing excessive spending through budget monitoring and automatic model downgrading.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM Accesses User Configuration Files -20

The skill accesses user configuration files ($HOME/.clawdbot/clawdbot.json, $HOME/.openclaw/openclaw.json) that may contain API keys or other sensitive configuration data. While this appears necessary for its stated functionality, it represents potential access to sensitive information.

LOW Contains Executable Shell Script -15

The skill includes an executable bash script (token-guard.sh) that performs token monitoring and cost management operations. The script appears legitimate and matches the stated purpose of budget monitoring.

LOW System Configuration Modification Capability -25

The skill can modify system configuration by making API calls to the local gateway to change model settings when budget limits are exceeded. While this matches the stated auto-downgrade functionality, it represents the ability to alter system behavior.