Skillv0.2.1

ClawScan security

ClawUsage Windows Hardlock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 3:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (runs local PowerShell monitoring scripts) but the packaged scripts read local OpenClaw session/auth files and call an external API with a local token and can install a scheduled task — behavior that is sensitive and not fully documented in the SKILL.md.
Guidance: This skill will copy bundled PowerShell files into your user profile, read OpenClaw session logs and the local auth-profiles.json, and make an outbound request to https://chatgpt.com/backend-api/wham/usage using the token it finds. That can expose or transmit your local credentials to a remote endpoint. If you want to install it, first: (1) inspect the three included scripts locally (they're in the skill package) to confirm behavior and the exact endpoints called; (2) do not enable the 'auto' scheduled task unless you trust the code and endpoint; (3) consider running it in a restricted/test account or offline to verify what data it prints; and (4) ask the publisher to explicitly state why a bearer token is needed and which remote host will receive it. If you are uncomfortable with local token access or unknown network calls, do not install or run the skill.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the included PowerShell scripts: it inspects local OpenClaw session and usage data to report quotas and set idle alerts. Reading .openclaw workspace files and materializing/running local PS1 scripts is coherent with its stated monitoring purpose. However, extracting an auth token from OpenClaw's auth-profiles.json to query remote usage is a higher-privilege action than a simple local monitor and is not explicitly documented in the SKILL.md.
Instruction Scope: concernThe runtime scripts (openclaw-usage-monitor.ps1 and clawusage-auto-worker.ps1) parse local session logs and auth-profiles.json to compute token/usage data, and they perform an outbound HTTPS call to https://chatgpt.com/backend-api/wham/usage using a bearer token taken from the local auth file. The SKILL.md does not explicitly state that local credentials will be read or that external network calls will be made with those tokens. That combination (reading local creds + remote call) is sensitive and worth scrutiny.
Install Mechanism: okInstruction-only skill with bundled .txt PowerShell scripts; no downloads or third-party install steps. It will copy packaged text files into a runtime folder under %USERPROFILE% and execute them. No external install URLs or extracted archives are used.
Credentials: concernThe skill declares no required env vars or credentials, yet the scripts access user files (e.g., %USERPROFILE%\.openclaw\agents\main\agent\auth-profiles.json and session logs) and optionally include local tokens in output. Using a locally stored auth token to call an external API is not reflected in the metadata and is disproportionate for a 'view usage' description unless the user expects the tool to use that token.
Persistence & Privilege: noteThe scripts can create a persistent runtime directory under %USERPROFILE% (\.clawusage\skill-runtime) and can register a Windows Scheduled Task (ClawUsageAuto) to run the background worker at intervals. This is consistent with 'auto idle alerts' functionality but is a persistent change that will run periodically in the user's account.