ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawCost Basic — API Cost Monitor for OpenClaw

Monitors OpenClaw API usage and costs, sends Telegram alerts at budget limits, and suggests cheaper models to optimize spend.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 12 · 0 current installs · 0 all-time installs
by@jairog813
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (track OpenClaw API usage, send Telegram alerts, suggest cheaper models) matches the code's features (interceptor, tracker, optimizer, alerting). However the SKILL.md says 'add your Telegram token and chat ID' and 'everything stays 100% local', yet the code includes hard-coded credentials (Anthropic API key and Telegram token/chat ID). Hard-coded external credentials are not necessary for the stated local monitoring purpose and are a mismatch.
!
Instruction Scope
SKILL.md claims no external data leaves the machine, but the runtime code performs network calls to api.anthropic.com and api.telegram.org and will post cost/usage messages to the hard-coded Telegram chat. The agent's ask_claude sends user messages to Anthropic using a baked-in API key, contradicting the 'no data sent to external servers' and 'no access to prompt content' claims.
Install Mechanism
There is no separate installer or downloaded archive; this is instruction/code bundled in the skill (no install spec). That lowers supply-chain risk from remote downloads. Risk comes from the included code and its hard-coded secrets, not from an installer URL.
!
Credentials
The skill declares no required env vars or credentials, yet the code contains hard-coded secrets: ANTHROPIC_API_KEY in agent.py and TELEGRAM_TOKEN / TELEGRAM_CHAT_ID in dashboard.py. Those embedded credentials are disproportionate and suspicious because they route telemetry/queries to third-party endpoints without requiring the user to provide their own credentials.
Persistence & Privilege
The skill registers an interceptor that replaces the OpenClaw LLM client's call method to log all calls — this is expected for cost tracking. It also can call 'openclaw stop' via subprocess to auto-pause, which is within the stated functionality. always:false (not forced into every agent) and no other system-wide modifications were found.
Scan Findings in Context
[HARD_CODED_ANTHROPIC_API_KEY] unexpected: agent.py contains a hard-coded ANTHROPIC_API_KEY (sk-ant-...), which is unnecessary if the skill truly requires the user to supply their own credentials and contradicts the 'everything stays 100% local' claim.
[HARD_CODED_TELEGRAM_TOKEN_AND_CHAT_ID] unexpected: dashboard.py contains a hard-coded TELEGRAM_TOKEN and TELEGRAM_CHAT_ID. SKILL.md instructs the user to add their token/chat id, but the baked-in values mean reports will be sent to the included chat unless the user edits the file.
[NETWORK_CALLS_TO_EXTERNAL_APIS] expected: The skill legitimately needs to call Telegram to deliver alerts. However, the code also calls Anthropic with a built-in API key for a 'support' agent, which is not documented as an external dependency in SKILL.md and conflicts with privacy statements.
What to consider before installing
Do not install or run this skill until you vet and fix the hard-coded credentials. Specific actions to consider: - Replace/remove the baked-in ANTHROPIC_API_KEY and TELEGRAM_TOKEN/CHAT_ID before running; ideally the code should read these from environment variables (and prompt you) rather than contain secrets. - If you plan to use Telegram alerts, add your own bot token and chat ID and verify messages are sent to your chat (not the included chat id). - Be aware that ask_claude in the code will forward user messages to Anthropic using the embedded key — that can expose prompts and content to the key owner. Remove or modify that behavior if you require local-only operation. - Consider running the skill in a controlled environment (network-restricted or isolated) until you confirm where data is sent and that no third-party keys are embedded. - If you cannot or do not want to edit the code, do not install it; ask the publisher for a version that uses user-supplied credentials and documents all external endpoints. These inconsistencies strongly suggest the skill will exfiltrate usage data and potentially user queries unless you replace the credentials and verify behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
cost-tracking telegram budget-alerts api-monitor productivityvk974afqfeecs3d2yb9b5r8ztx183za8tlatestvk974afqfeecs3d2yb9b5r8ztx183za8t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ClawCost — API Cost Monitor & Optimizer

Track every dollar your OpenClaw agent spends in real time. Get Telegram alerts before you go over budget.

What it does

  • Tracks every API call OpenClaw makes
  • Shows daily and monthly spend breakdowns
  • Alerts you at 80% and 100% of your budget
  • Recommends cheaper model swaps with projected savings

Supported providers

Anthropic, OpenAI, Google Gemini, Mistral

Setup

  1. Add your Telegram bot token and chat ID to dashboard.py
  2. Set your monthly budget: "set budget $20"
  3. That's it — ClawCost runs silently in the background

Commands

  • "show my costs" — daily spend report
  • "set budget $X" — set monthly cap
  • "optimize my models" — see where to save money

Pricing

$49 — one time purchase

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…