Skills
skills/aradotso/trending-skills/caveman-token-optimizer/Gen Agent Trust Hub

caveman-token-optimizer

Warn

Audited by Gen Agent Trust Hub on Apr 6, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The documentation provides instructions to download content from the JuliusBrussee/caveman repository using git clone, npx, and claude plugin marketplace commands.
  • [REMOTE_CODE_EXECUTION]: The skill encourages the execution of code from an external source through pip install -e . and the execution of Python scripts (run_benchmarks.py, compare.py) within the cloned repository.
  • [COMMAND_EXECUTION]: Several shell commands are included for setup and benchmarking, such as npx skills add JuliusBrussee/caveman and python run_benchmarks.py, which execute code from third-party locations.
  • [CREDENTIALS_UNSAFE]: The 'Reproducing Benchmarks' section instructs users to export their ANTHROPIC_API_KEY environment variable for use by the downloaded scripts, which could lead to credential harvesting if the external scripts are compromised.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 6, 2026, 12:45 AM