Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Cost Auditor
v1.0.0Track and report OpenClaw API usage, model costs, token consumption, and forecast spending with optimization recommendations.
⭐ 0· 1k·7 current·8 all-time
byGoroni@gblockchainnetwork
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (audit OpenClaw usage, query API metrics, forecast billing) mostly matches the included log-parsing script which sums token counts from logs. However the SKILL.md also advertises integrations with Grok/xAI API and 'custom providers' and features like PDF reports/templates, yet there are no API calls, no templates included, and no environment variables or credentials declared. That mismatch is unexplained.
Instruction Scope
The runtime script reads files under /var/log/openclaw (or a provided path) and parses all '*.log' entries for 'tokens: N'. Reading system logs is consistent with auditing but can expose sensitive information; SKILL.md gives no guidance about limiting scope, filtering PII, or where reports are stored/transmitted. The SKILL.md's Quick Start example implies a CLI invocation that isn't provided as an installed binary.
Install Mechanism
There is no install spec (instruction-only) and only a small Python script is included. This is low risk from an install vector perspective — nothing is downloaded from external URLs and no packages are installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a pure log parser. However the documentation's claim of querying external APIs implies it should request API keys/credentials — the absence of any declared secrets is an inconsistency that should be explained.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or agent-wide config.
What to consider before installing
This skill appears to be a simple log parser that sums 'tokens: N' entries and estimates cost. Before installing: 1) Confirm whether the author intends the advertised API integrations and, if so, require explicit API credentials and documented endpoints. 2) Be aware the script reads /var/log/openclaw by default — run it with an explicit, non-privileged path first and inspect logs for sensitive content. 3) Ask for the missing files the SKILL.md references (templates/report.md, CLI wrapper) or run the script manually in a sandbox to verify behavior. 4) If you plan to allow autonomous invocation, restrict the skill's file-read permissions and ensure it cannot access unrelated system logs or secrets. 5) If you need networked metric aggregation, prefer an implementation that clearly requests and documents required credentials and safe transmission endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk970xg9z6ngatx1yfr0vrag8tn81h541
License
MIT-0
Free to use, modify, and redistribute. No attribution required.