tokenwise
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external plugin from a community repository (
CodeShuX/tokenwise) that is not verified by the platform, which could lead to the execution of unvetted code. - [COMMAND_EXECUTION]: The
/tokenwise:installcommand modifies the agent's core configuration files, specificallyCLAUDE.mdandsettings.json, to implement the model routing logic. - [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by processing arbitrary user tasks and subtasks to determine which model tier to use.
- Ingestion points: User-provided subtasks and task descriptions as described in the routing taxonomy.
- Boundary markers: No specific delimiters or instructions to ignore embedded commands are identified in the skill logic.
- Capability inventory: The skill modifies project-level configuration files and controls the selection of models via the
claudetool. - Sanitization: Task descriptions are truncated to 80 characters for logging purposes, but the full input is processed for the underlying routing decisions.
Audit Metadata