ClawHub
Back to skill
v2.2.5

Ai Bill Clawhub

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:34 AM.

Analysis

The skill is a plausible billing dashboard, but it reads OpenClaw session data, runs persistent services, and exposes or changes billing data through weakly protected web/API paths.

GuidanceReview carefully before installing. Only use this if you are comfortable with a background Node service reading OpenClaw session metadata, writing billing data to local/web paths, and opening a dashboard service. Prefer running it behind localhost/VPN or real authentication, remove public /var/www/html publishing unless needed, reset the bundled vault data, and inspect or replace the installer with pinned, non-sudo setup steps.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
app/server.js
app.get('/api/vault', ... res.json(vault)); ... app.post('/api/setup', ... fs.writeFileSync(vaultPath, JSON.stringify(data, null, 2));

The HTTP API reads and overwrites vault.json from request data without authentication, authorization, CSRF protection, or a visible confirmation step.

User impactIf the dashboard port is reachable, someone could view or alter the billing balances and modes used for cost tracking, causing misleading spend data.
RecommendationBind the service to localhost by default, require authentication for /api/vault and /api/setup, validate inputs, and require explicit user confirmation before changing billing configuration.
Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
app/installer.sh
# Usage: curl -fsSL [URL] | bash ... wget -q https://github.com/fumabot16-max/project-bill/archive/refs/heads/master.zip -O master.zip ... npm install --silent

The installer pattern executes a remote shell workflow, downloads a mutable master branch, and runs dependency installation rather than pinning a reviewed release or commit.

User impactA future install could execute code or dependencies that differ from the artifacts being reviewed here.
RecommendationPin downloads to immutable releases or commits, rely on a ClawHub install spec, preserve lockfile-based installs, and avoid curl-to-shell installation guidance.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
app/setup.js
execSync('npm install', { stdio: 'inherit' });

The setup script automatically runs npm install when node_modules is missing; this is related to setup, but it executes package-manager behavior from the project environment.

User impactRunning setup may execute npm lifecycle scripts or dependency code on the user’s machine.
RecommendationRun setup only from a reviewed checkout, keep dependencies locked, and prefer prompting the user before automatic package installation.
Rogue Agents
SeverityMediumConfidenceHighStatusNote
app/collector.js
calculateUsage();
setInterval(calculateUsage, 27000);

The collector continuously polls usage data in the background, which is expected for real-time monitoring but important for users to understand.

User impactThe skill can keep reading session usage and updating files periodically after it is started.
RecommendationProvide clear controls to start, stop, disable, and uninstall the collector, and document the polling interval and files touched.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
app/installer.sh
sudo cp systemd/*.service /etc/systemd/system/
sudo systemctl enable ai-bill ai-bill-collector
sudo systemctl start ai-bill ai-bill-collector

The installer can modify system-level service configuration and start privileged persistent services, but the registry metadata declares no required binaries, config paths, or install spec.

User impactInstalling this way can alter the host’s service state and keep processes running beyond the current OpenClaw task.
RecommendationAvoid sudo/system-wide installation by default; use user-level services, declare privilege requirements, include reviewed service unit files, and provide clear stop/uninstall steps.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityHighConfidenceHighStatusConcern
app/collector.js
const WEB_LIVE_PATH = '/var/www/html/bill/usage_live.json'; ... fs.writeFileSync(WEB_LIVE_PATH, jsonStr);

The collector copies usage data into a standard web-root path outside the app directory, while SKILL.md only declares managed files inside app/.

User impactAI usage, model/runtime metadata, spending, and balance-derived values may become visible through an existing web server without the user realizing it.
RecommendationDo not write usage data to public web roots by default; keep data under the skill directory with restrictive permissions and document any external publishing path clearly.
Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
app/collector.js
const SESSION_PATH = '/root/.openclaw/agents/main/sessions/sessions.json'; ... sessionsRaw = fs.readFileSync(SESSION_PATH, 'utf8');

The collector reads the local OpenClaw agent session store to calculate token usage; this is purpose-aligned, but session stores can contain sensitive task metadata.

User impactThe skill can observe session-level usage metadata such as models and token counts and persist derived cost summaries.
RecommendationDocument the exact fields read from sessions, avoid logging sensitive session content, and ensure the collector has only the minimum file permissions needed.