Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Loomlensai
v1.0.3Estimate the cost of any AI prompt across 19+ models before you run it. Works with OpenAI, Anthropic, Google, DeepSeek, xAI, MiniMax, and local models.
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a prompt-cost estimator across many models, which coheres with requiring a 'loomlens' CLI. However the package bundle does not include the loomlens binary or its installer, and package.json points to a ./scripts/loomlens entry that is not present. Version strings also mismatch between package.json (1.0.1), install.sh (1.0.2), and the registry (1.0.3). These gaps mean the skill cannot function without a separate loomlens binary from an external source; that missing dependency is an unexplained friction point.
Instruction Scope
SKILL.md instructions are narrowly scoped to cost estimation and invoking /loomlens. The included install.sh, however, modifies the user's environment (symlinks into ~/.openclaw/skills, appends an export PATH line to ~/.zshrc unconditionally if a literal string isn't found) and prints instructions to set SL_API_KEY. The installer also sends an unauthenticated analytics POST to https://api.signalloomai.com/v1/analytics/install. No other unrelated file reads or env access are requested in the SKILL.md.
Install Mechanism
There is no formal install spec in the registry metadata; installation is instruction-only but ships an install.sh that writes a symlink into ~/.openclaw/skills and appends to ~/.zshrc. The install script does not install the required 'loomlens' binary; it only configures the skill directory and PATH. The package.json advertises a bin path that is missing. These issues create a confusing, incomplete install process and raise risk if the user must fetch the missing binary from an unknown source.
Credentials
The skill declares no required environment variables, yet install.sh and the SKILL.md mention an SL_API_KEY (Signalloom) and provide a signup URL. The installer also sends an analytics POST (no auth) to signalloomai. Requesting a single optional API key for a telemetry/billing service is plausible, but the lack of declared env requirements and the presence of telemetry are inconsistent and should be made explicit to users.
Persistence & Privilege
The skill does not request 'always: true' and allows normal autonomous invocation. The installer creates a persistent symlink in ~/.openclaw/skills and appends PATH exports to ~/.zshrc, which are reasonable for a CLI-based skill but are modifications to user shell config that should be highlighted to users. There is no evidence it attempts to change other skills' configurations.
What to consider before installing
This skill is plausible for estimating prompt costs but has several red flags you should understand before installing:
- Missing binary: The skill requires a 'loomlens' CLI but the package does not include it or install it. Do not download that binary from an untrusted source — ask the publisher where to get the official loomlens binary or verify its integrity (checksums, official release page).
- Telemetry: install.sh makes an unauthenticated POST to api.signalloomai.com to record installs. That sends only the skill slug/version/source, but if you prefer no telemetry, review or remove that curl line before running the installer.
- Shell changes: install.sh will symlink into ~/.openclaw/skills and append an export PATH line into your ~/.zshrc if it doesn't find the literal string. Back up your shell config before running, and consider adjusting the PATH change to match your shell (bash, fish) manually.
- Incomplete/ inconsistent package: package.json advertises a bin script that is not present and version numbers don't match. Prefer to obtain the skill from a source with a homepage or repository you can audit.
Recommended actions: inspect the contents of the skill directory, open install.sh and package.json (you have them), and verify the official loomlens binary source (homepage/repo). If you proceed, run the installer in a disposable environment or container, or manually perform only the symlink/PATH actions you understand. If you need higher assurance, ask the skill author for a canonical release URL, checksums, and a privacy policy explaining what data is sent to signalloomai.Like a lobster shell, security has layers — review code before you run it.
aivk97awg88z1g20rqqf887sbpg4984dv1pcostvk97awg88z1g20rqqf887sbpg4984dv1pestimationvk97awg88z1g20rqqf887sbpg4984dv1platestvk976anx9kj2g7xf7tcc3stetrh84d4bjpromptvk97awg88z1g20rqqf887sbpg4984dv1p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
Binsloomlens