Token Budget Monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: token-budget-monitor Version: 1.0.0 The SKILL.md file contains an 'Integration' example that demonstrates a shell injection vulnerability. The `exec` call constructs a shell command by directly concatenating potentially untrusted inputs (`<job-name>` and `model`) without proper sanitization. This flaw could allow an attacker to execute arbitrary commands on the host system if they can control these input parameters, for example, through a malicious LLM response. This is a critical vulnerability, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoors) within the provided code or instructions, thus classifying it as suspicious rather than malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poorly adapted integration could accidentally allow command injection in the cron job environment.
The documented cron integration uses shell exec with string concatenation. If job names or model values are ever dynamic or untrusted, shell metacharacters could be interpreted.
exec('node /path/to/track-usage.js track <job-name> ' +
usage.input_tokens + ' ' + usage.output_tokens + ' ' + model);Use safer argument passing such as execFile/spawn with an argument array, or strictly validate and quote job and model values.
The skill may fail or behave differently if Node is unavailable in the environment.
The skill's usage depends on Node, while the metadata declares no required binaries. This is an under-declared runtime dependency rather than hidden behavior.
node track-usage.js status
Confirm Node is available before use, and the publisher should declare Node as a required binary or runtime.
Local workspace files will contain a record of cron job activity and model usage.
The script persists job names, model names, run counts, and token counts to a local JSON file that is later reused for status, alerts, and recommendations.
const USAGE_FILE = path.join(OUTPUT_DIR, 'token-usage.json'); ... fs.writeFileSync(USAGE_FILE, JSON.stringify(usage, null, 2));
Avoid sensitive job names, protect workspace file permissions, and delete or rotate the usage file if you do not want this history retained.
A user could overestimate the skill's ability to prevent token spending or automatically change models.
The README advertises automatic fallback, but the included implementation only logs usage, alerts, and prints model recommendations. Users should not assume it enforces budget limits automatically.
- **Auto-fallback** — switch to cheaper models when over budget
Treat this as a monitoring/recommendation tool unless you add separate enforcement logic, and the publisher should clarify the documentation.