ClawCache Free - LLM Cost Tracking & Caching
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawcache-free Version: 0.2.0 The skill bundle is classified as suspicious due to a critical inconsistency in the package installation instructions. SKILL.md and README.md instruct the agent to `pip install clawcache`, while CHANGELOG.md instructs `pip install clawcache-free`. This discrepancy (found across SKILL.md, README.md, and CHANGELOG.md) creates a supply chain vulnerability where the agent might install an unintended or potentially malicious package if 'clawcache' is a typosquatted package on PyPI, rather than the intended 'clawcache-free'. While the skill itself does not contain malicious code, this flaw in its installation instructions could lead to the execution of arbitrary code from an untrusted source.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package will run code that was not included in these reviewed artifacts.
The skill itself includes no runnable code or install spec, so actual behavior depends on an external, unpinned Python package installed by the user.
```bash pip install clawcache ```
Verify the intended PyPI package, source repository, and version before installing; prefer pinning a reviewed version.
Sensitive prompts or responses may remain on disk and later be reused from cache instead of making a fresh model call.
The documented workflow saves prompts and LLM responses into a persistent local cache directory.
await cache.aset(prompt, response, model=model) ... export CLAWCACHE_HOME=/path/to/cache # Default: ~/.clawcache
Choose a protected cache location, avoid caching secrets, and periodically clear or manage the cache when working with sensitive data.