Skillv1.0.0

ClawScan security

Cost Governor - Subagent Budget Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 5:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, files, and instructions are coherent with its stated purpose: pre-flight cost estimation, logging, and gating of subagent spawns — it does not request credentials or install arbitrary code from remote sources.
Guidance: This skill appears to do exactly what it claims: estimate costs, require approval over a small threshold, and log to a workspace note. It does not request secrets or reach out to remote endpoints. Before installing: 1) Review the included JS files (lib/cost-tracker.js, bin/cost-summary.js) yourself — they operate on ~/.openclaw/workspace and append/update cost-tracking.md; 2) Back up or create a dedicated workspace path to avoid accidental writes to other notes; 3) Prefer configuring budget via the workspace .env or skill config rather than blindly pasting enforcement text into your global system prompt — changing system prompts is powerful and can affect other agent behavior; 4) If you enable cron jobs or automated invocation, test the scripts manually first (run node bin/cost-summary.js --daily) to confirm behavior; 5) If you want stricter guarantees, require manual approval (do not allow autonomous agent invocations) or lower the approval threshold. Overall, the package is coherent and low-risk, but exercise normal caution when allowing automated changes to prompts or adding scheduled tasks.
Findings: [system-prompt-override] expected: The SKILL.md recommends adding a budget enforcement line to the system prompt to stop spawning when a threshold is reached. A prompt-injection detector flagged that pattern; here it's a user-facing suggestion to change the system prompt for governance. That is plausible for this tool but is a high-impact action — users should deliberately control any system-prompt edits.

Review Dimensions

Purpose & Capability: okName/description align with what the skill does: estimation functions, logging to a workspace note, and a CLI summary. The included JS libraries (cost-tracker, cost-summary) are exactly what you'd expect for this functionality. No unrelated binaries, services, or credentials are requested.
Instruction Scope: noteInstructions direct the agent to estimate costs, write/read the workspace tracking file (~/.openclaw/workspace/notes/cost-tracking.md), optionally set DAILY_BUDGET in a workspace .env, and integrate with sessions_spawn and cron. This stays within the stated purpose. One notable item: the SKILL.md suggests adding a budget line to the system prompt to enforce stops ("Daily API budget: $XX. Stop spawning subagents if estimated total exceeds this"). A static scanner flagged that pattern as 'system-prompt-override' — in this context it appears to be a user-facing recommendation to put budget guidance in the system prompt (which is a plausible operational approach) but modifying the system prompt is powerful and should be done intentionally.
Install Mechanism: okThere is no remote install step or download URL; the package is instruction+local JS files. That is low risk compared to remote installation. The included scripts are plain Node.js and operate on local files; no external network calls or downloads are present in the code.
Credentials: okThe skill requests no credentials or environment variables. It suggests writing a DAILY_BUDGET to a workspace .env as an optional convenience — this is proportional for a budget-enforcement tool. It reads and writes files in the user's workspace only (no access to system-wide credentials or unrelated config paths).
Persistence & Privilege: okalways is false and the skill can be invoked autonomously (default). It does not request permanent elevated privileges, does not modify other skills' config, and does not write to system-wide settings beyond user workspace files and optional cron entries (cron addition is user-driven in README).