Agent Budget Controller

Security checks across malware telemetry and agentic risk

Overview

This is a local budget-tracking CLI whose code and documentation mostly match its stated purpose, with a couple of manual documentation risks users should handle carefully.

Safe to install for local cost tracking if you are comfortable with it writing budget files under ~/.openclaw/budget. Treat the usage log as audit data: archive or back it up instead of deleting it when possible, and avoid the broad `pkill -f` example unless you first verify the exact process you intend to stop.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The example includes `pkill -f runaway-agent`, which is a destructive process-termination command presented as an incident-response action without safety guidance. Because `-f` matches against full command lines, users may kill unintended processes with similar names, causing denial of service or disruption on the host system.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The README instructs users to delete the append-only usage log to reset counters, but it does not explicitly warn that this permanently destroys historical spend/audit data. In a budgeting and oversight tool, losing usage history can undermine accountability, incident review, and cost forensics, even if the action is manual and local.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal