Skills
skills/doodledood/claude-code-plugins/optimize-prompt-token-efficiency/Socket

optimize-prompt-token-efficiency

Warn

Audited by Socket on Mar 1, 2026

1 alert found:

Security
SecurityMEDIUM
SKILL.md

The module's functionality aligns with its documented goal (lossless token-efficiency optimization). However, its architecture creates a significant supply-chain and data-exfiltration risk because it sends complete file contents to an external verifier subagent and relies on that agent's verdict to perform irrevocable local file overwrites. Absent controls (path restrictions, backups, local/vetted verifier, data minimization, or explicit user confirmation), treat this skill as high-risk for sensitive environments. It is not demonstrably malware from the code provided, but its design enables potential malicious exfiltration or unwanted modification if the verifier or execution environment is compromised. Recommend implementing mitigations (local verifier, backups, path whitelists, explicit confirmations) before use in production or on sensitive files.

Confidence: 98%Severity: 75%
Audit Metadata
Analyzed At
Mar 1, 2026, 01:35 AM
Package URL
pkg:socket/skills-sh/doodledood%2Fclaude-code-plugins%2Foptimize-prompt-token-efficiency%2F@66d2c4db5625f29d41e94d9cfd3faf5aae043055