OpenClaw Cost Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local OpenClaw cost analyzer that reads local session logs and writes a local cost report, with no evidence of network transfer or hidden execution.

Install only if you are comfortable with the skill reading your local OpenClaw session logs to calculate costs. Treat the generated report as potentially sensitive, since it can reveal model usage, session identifiers, token volumes, and cost patterns; review any suggested cleanup or cron commands before running them manually.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation makes contradictory security claims: it says the skill is '只读分析' and '不修改任何配置', but earlier it states that it generates and saves a report to `~/.openclaw/workspace/memory/cost-analysis-report.md`. While this is not remote code execution or data exfiltration, misleading claims about write behavior can cause users or automated systems to trust the skill with a stricter permission model than it actually requires.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal