Skillv1.1.0

ClawScan security

TrustLog Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 11:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local cost tracking) matches its instructions, but it reads and writes local session files without declaring those config paths and does passive monitoring behavior that could expose sensitive conversation content — the mismatch and privacy implications warrant caution.
Guidance: This skill appears to do what it claims (read session logs, report spend, write a budget file), but the package metadata did not declare the local files it reads/writes. Before installing, consider: 1) Inspect a sample of your ~/.openclaw/agents/*/sessions/*.jsonl files to confirm they don't contain secrets you don't want scanned or stored. 2) Ask the publisher for the skill source or a detailed manifest showing which exact paths it will read/write and an explicit privacy guarantee — the SKILL.md's '100% private' claim is not verifiable as-is. 3) If you proceed, run it in a restricted environment or backup your data; verify the budgets file location (~/.openclaw/workspace/trustlog-guard/budgets.json) and ensure you’re comfortable with the agent creating/writing that file. 4) Prefer skills that declare required config paths and provide source code or provenance. If you need lower risk, request the same functionality implemented as a small local utility you can inspect and run separately rather than an autonomously-invokable skill.

Review Dimensions

Purpose & Capability: noteThe name/description (financial governance, cost tracking) aligns with the SKILL.md: it reads session .jsonl logs, computes spend, enforces budgets, and writes a budgets.json file. However, the registry metadata declared no required config paths or credentials while the instructions explicitly read from and write to specific home-directory paths (~/.openclaw/agents/{agent}/sessions/*.jsonl and ~/.openclaw/workspace/trustlog-guard/budgets.json). That mismatch is an incoherence: the skill effectively requires file access that wasn't declared.
Instruction Scope: concernThe SKILL.md instructs the agent to read potentially many local session JSONL files and to create/update a budgets.json file. It also mandates passive anomaly checks on every command invocation. These are within a plausible scope for a cost-tracking tool, but they grant broad local-file read access to conversation logs (which may contain sensitive data). The instructions are prescriptive (exact output formats and rules) and reference an {agent} placeholder but do not specify how to choose/limit which agents' session directories to scan, raising risk of over-broad scanning.
Install Mechanism: okNo install spec or code is present (instruction-only), so nothing is downloaded or written by an installer. This reduces supply-chain risk.
Credentials: concernNo environment variables or external credentials are requested (good). However, the skill requires reading conversation session logs under ~/.openclaw and writing a budgets file under ~/.openclaw/workspace — accesses that were not declared in metadata. Reading whole session logs can expose user data and secrets; writing files to the user's home directory should be declared and justified in metadata. The skill claims '100% private' but provides no mechanism or guarantee for that.
Persistence & Privilege: notealways:false (good). The skill instructs passive anomaly detection during other commands, which means it may run file scans frequently when invoked — this is not an elevated platform privilege but increases monitoring frequency and privacy exposure. The skill writes its own budgets file in the user's home; that behavior is expected for its purpose but should have been declared.