ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context Window Economics

v0.1.1

Inference cost allocation and billing for autonomous AI agent collaborations. Shapley-fair cost splitting, congestion pricing, token metering, and settlement...

0· 88·0 current·0 all-time
by@alexfleetcommander
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the provided usage examples (CostTracker, allocate_costs, congestion_price, settlement_report) are coherent with an inference-cost-allocation library. The declared required binaries (python3 + pip/pip3) are reasonable and proportionate for a Python library.
Instruction Scope
SKILL.md stays within the stated domain (tracking token usage, allocating costs, producing settlement reports) and only references writing/reading cost files in the working directory. However, the runtime instructions require installing an external package from PyPI (pip install context-window-economics) — that implies network fetch and running code not included in the skill. The embedded 'Security & Transparency Disclosure' asserts 'No network access for core operations', which is potentially misleading because installation itself requires network access and the installed package could perform network operations. The skill does not instruct reading unrelated system files or env vars.
Install Mechanism
The skill is instruction-only and has no install spec; it tells users to run 'pip install context-window-economics' (PyPI). This is a common install mechanism but it means the skill's behavior depends on an external package you must fetch and run. Because the skill package is not bundled here, the security posture depends on that PyPI package (author, code, release integrity). No in-repo code was available for local review.
Credentials
The skill declares no required environment variables or config paths and the instructions do not request credentials. That is proportionate to the stated functionality. Caveat: the external PyPI package could request or use env vars after installation — there is no way to verify that from this instruction-only skill.
Persistence & Privilege
Skill metadata does not request always:true and does not claim persistent system changes. As an instruction-only skill it does not itself install or persist files beyond advising a pip install and writing cost files in the working directory. Autonomous invocation is allowed by default on the platform, which combined with installing external code increases blast radius — worth considering but not itself a misconfiguration of this skill.
What to consider before installing
This skill appears to do what it claims (allocate and report inference costs), but it relies on an external PyPI package not included in the skill bundle. Before installing or running it: 1) Verify the PyPI package 'context-window-economics' exists and inspect its source code or repository and maintainer reputation. 2) Don't run pip install on an untrusted environment — install in an isolated environment (virtualenv, container) and pin the package version. 3) Review the package for network activity, telemetry, or code that reads unexpected files or environment variables (the SKILL.md's disclosure claims 'no network access' but installation requires network access and the package may still perform network I/O). 4) Keep cost-tracking files in a dedicated directory and avoid pointing the package at sensitive paths. 5) If you need higher assurance, request the package source or a reproducible build and confirm the homepage/author identity (alexfleetcommander / vibeagentmaking). Because the actual runtime behavior depends on remote code, exercise caution — treat this as untrusted until you review the upstream package.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zxf7x1adgvb43p2fref1ms848ecr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
Any binpip, pip3

Comments