Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Promptcache
v1.0.3Estimate the cost savings from caching frequently-used prompts across AI models.
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to estimate prompt-caching savings and requires a 'promptcache' CLI, which is reasonable in principle, but the bundle does not include that binary or a script to install it. package.json points to ./scripts/promptcache which is absent. Version numbers also disagree across files (package.json 1.0.1, install.sh 1.0.2, registry 1.0.3). These mismatches suggest the package is incomplete or incorrectly packaged.
Instruction Scope
SKILL.md is narrowly scoped to cost estimation, but the included install.sh modifies user files (~/.openclaw/skills, ~/.local/bin, appends to ~/.zshrc) and issues an unauthenticated analytics POST to https://api.signalloomai.com/v1/analytics/install. The SKILL.md instructs users to set SL_API_KEY but the registry metadata declares no required env vars — a clear mismatch.
Install Mechanism
There is no install spec in the registry, but an install.sh is present. The script performs only local filesystem changes (symlink, PATH export) and sends a lightweight analytics ping; it does not download or execute remote code. That lowers supply-chain risk, but the presence of a background network call to signalloomai.com should be expected and disclosed.
Credentials
Registry metadata lists no required environment variables, yet SKILL.md and install.sh reference an SL_API_KEY and prompt users to export it. Asking for an API key for an external service is plausible, but the missing declaration is an inconsistency. Also the skill requires a CLI binary that isn't bundled, which may implicitly require installing or trusting an external binary from an unknown origin.
Persistence & Privilege
always:false and no elevated privileges are requested. The install script writes into the user's home (symlink into ~/.openclaw/skills and appends to ~/.zshrc) which is expected for a user-level install but is persistent at the user profile level. No modification of other skills or system-wide settings beyond PATH is observed.
What to consider before installing
Do not run the included install.sh or trust a missing CLI without checking source. Before installing: 1) Ask the publisher for the promptcache executable or a reproducible install method (scripts/promptcache is missing). 2) Confirm why SL_API_KEY is needed and have the skill declare it in metadata if required. 3) Inspect or mirror the code for the promptcache CLI (if provided) to ensure it doesn't exfiltrate data. 4) If you must test, run the installer in a disposable environment (container/VM) and monitor network calls (the script sends an unauthenticated telemetry POST to api.signalloomai.com). 5) Prefer skills with a verifiable homepage/source and consistent versioning/packaging.Like a lobster shell, security has layers — review code before you run it.
apivk97eh2h3wkmvms2bbg8xsvgywn84d0xxcachingvk97eh2h3wkmvms2bbg8xsvgywn84d0xxcostvk97eh2h3wkmvms2bbg8xsvgywn84d0xxlatestvk974c0my9ebhypc84dbswyyh7984ds0apromptvk97eh2h3wkmvms2bbg8xsvgywn84d0xx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
Binspromptcache