Trust Assessment
token-saver received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Node lockfile missing, Skill Injects Hardcoded LLM Instructions into Workspace Files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill Injects Hardcoded LLM Instructions into Workspace Files The `token-saver` skill is designed to optimize LLM context by compressing workspace `.md` files. However, its `scripts/compressor.js` component explicitly modifies these files by inserting hardcoded instructions and applying regex replacements that are intended to manipulate the host LLM's behavior. For example, it inserts "Auto-execute." into `AGENTS.md` and defines specific personality traits and behavioral directives in `SOUL.md`. When these modified files are subsequently read by the host LLM as part of its context, they constitute a direct prompt injection originating from the skill's own logic. This bypasses user control over the LLM's core instructions and can lead to unintended or malicious behavior. 1. **Remove hardcoded LLM instructions**: Eliminate all hardcoded LLM instructions (e.g., "Auto-execute.", specific personality traits, or behavioral directives) from the `replacements` array and the `getPrebuiltCompression` functions (`compressAgents`, `compressSoul`, `compressUser`, `compressMemory`). 2. **User Consent/Transparency**: If any form of instruction injection is deemed necessary for the skill's function, it must be explicitly disclosed to the user, and the user must provide clear consent before the skill modifies their core LLM instruction files. Ideally, such instructions should be dynamically generated or configurable by the user, not hardcoded. 3. **Focus on pure compression**: The skill should focus solely on token optimization through compression techniques that do not alter the semantic meaning or inject new instructions into the LLM's context. | LLM | scripts/compressor.js:30 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/rubenaquispe/token-saver/scripts/optimizer.js:315 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/rubenaquispe/token-saver/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/a8196b91898a4186)
Powered by SkillShield