Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Bill Clawhub
v2.2.5Real-time AI API usage tracking and cost monitoring for OpenClaw. Track spending across OpenAI, Claude, Gemini, Kimi, DeepSeek, and Grok with live dashboard....
⭐ 0· 1.3k·2 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements a realtime billing/usage dashboard which aligns with the skill name/description. However there are multiple mismatches (installer and README reference different GitHub repo names: bill-project vs project-bill vs project-bill-master; several file paths differ across SKILL.md, collector.js, and scripts). The installer and scripts also attempt system-level actions (sudo, systemd service installation, writing to /var/www/html) that are beyond a simple in-agent billing helper and are disproportionate unless you expect a self-hosted system service.
Instruction Scope
SKILL.md explicitly directs an agent to read files under /root/.openclaw/workspace/bill_project/... and to update vault.json on the user's behalf. The collector code reads agent session data (/root/.openclaw/agents/main/sessions/sessions.json) and the OpenClaw config (/root/.openclaw/openclaw.json). Reading those paths can surface sensitive session/config information; writing vault.json or updating config is a scope-expanding action. There are also inconsistent references to usage.json locations (SKILL.md vs code).
Install Mechanism
Although registry metadata shows 'instruction-only', the bundle includes an installer script that downloads a zip from GitHub (curl/wget -> unzip -> npm install) and runs privileged actions. The installer uses sudo to copy systemd unit files and enable/start services. The repository URLs and archive names are inconsistent (bill-project vs project-bill), which is sloppy and increases risk (a crafted URL mismatch could point to an unexpected repo). The sync_prices.sh script writes fabricated pricing (adds 'GPT-9-ULTRA') and writes to a root path; using curl/wget + unzip + npm install from remote sources is higher risk and should be treated as arbitrary code execution if run.
Credentials
The skill declares no required environment variables or credentials, yet the collector and server access many system paths (agent sessions, OpenClaw config, /root/.openclaw workspace files) and write to system locations (/var/www/html). Accessing agent session files and the OpenClaw config can expose conversation metadata and runtime defaults. The lack of declared credentials while code touches these sensitive files is a mismatch and reduces transparency about what will be accessed.
Persistence & Privilege
Installer.sh attempts to create systemd services (copies files to /etc/systemd/system and enables/starts them) or to start background Node processes. That creates persistent background collectors running as system services and requires sudo. The skill does not declare 'always: true' but the installer’s use of systemd and nohup gives it persistent presence and elevated privileges if the user runs the installer with sudo.
What to consider before installing
Do not run the included installer or setup scripts without manual review. Specific risks to consider:
- The collector reads agent session files (/root/.openclaw/agents/...) and the OpenClaw config — these can contain sensitive runtime/session metadata; confirm you are comfortable with that access.
- Installer.sh uses sudo to install systemd services and writes to system locations (/etc/systemd/system, /var/www/html). That gives persistent, privileged background processes; only allow if you trust the code and run it on an isolated host.
- Several repository and path names are inconsistent (bill-project vs project-bill vs ai-bill etc.) and SKILL.md paths don't always match code. This could be sloppy or indicate copy-paste errors; it is a red flag — verify the canonical source repository and inspect it yourself.
- The web UI includes weak client-side locking (hard-coded SECURE_CODE = "1234") and the collector writes usage to /var/www/html, which may expose billing/session data publicly without authentication.
Recommendations:
1) Inspect the full code locally (collector.js, installer.sh, setup.js) before running anything. Search for all file reads/writes and network calls.
2) If you want to try it, run on an isolated VM/container (not your primary machine) and do not run installer.sh with sudo until you’ve audited the service unit files it would install.
3) Remove or change any code that writes usage to a public webroot, and protect the dashboard with a real server-side auth mechanism.
4) Confirm the authoritative GitHub repository and verify checksums/releases instead of piping curl|bash from an unknown URL.
5) If you cannot audit the code, prefer an alternative tool from a known, trusted source.Like a lobster shell, security has layers — review code before you run it.
latestvk9776ezt9ghbx76b5b5m51x0p581h6m3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.