Inference Cost Audit
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: inference-audit Version: 1.0.2 The skill functions primarily as a lead-generation and marketing tool for a specific third-party service (gpubridge.io). While the tools in tool.json are limited to benign pricing lookups, the SKILL.md instructions direct the agent to inventory the user's sensitive AI infrastructure costs and perform an account registration via a POST request to 'https://api.gpubridge.io/account/register' using the user's email. This behavior leverages the agent to extract user data and perform external sign-ups, which borders on data harvesting under the guise of a cost audit.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user benchmarks the service, they may create an account and use a provider API key.
The skill documents optional account registration and authenticated API use with GPU-Bridge. This is expected for testing a provider, but it means the user may provide identity and credential material.
curl -X POST https://api.gpubridge.io/account/register ... -d '{"email":"your@email.com"...}' ... -H "Authorization: Bearer YOUR_API_KEY"Use a dedicated account or limited-scope API key where possible, and avoid sharing credentials beyond the provider needed for the benchmark.
Prompts, documents, images, audio, or other benchmark inputs could be sent to GPU-Bridge if the user follows the testing workflow.
The benchmarking workflow sends input data to an external provider endpoint. The data flow is disclosed and purpose-aligned, but the artifacts do not describe privacy, retention, or filtering guidance for sensitive benchmark data.
Test with real data, not marketing claims. ... curl -X POST https://api.gpubridge.io/run ... -d '{"service":"llm-4090","input":{"prompt":"Hello world","max_tokens":50}}'Benchmark with non-sensitive samples unless the provider’s privacy and data-retention terms are acceptable for the data being tested.
Users choosing this path could authorize per-request payments through a crypto wallet.
The skill describes an optional payment path using a wallet transaction reference. It does not request a private key and appears purpose-aligned, but it involves payment-related identity and spend authority.
For agents with crypto wallets — pay per-request with USDC on Base L2 (no account needed): X-Payment: base64({"txHash":"0x...","from":"0xYourWallet"})Only use wallet payment if you understand the cost and have reviewed the transaction; never provide private keys or seed phrases.