ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huo15 Cost Tracker

v1.1.2

火一五成本追踪器 - 追踪 AI API 使用量、Token 消耗和成本计算。支持 MiniMax、OpenAI 等模型。触发词:成本追踪、火一五成本追踪、火一五成本追踪器、Cost Tracker、花费了多少、token 统计。

0· 22·0 current·0 all-time
by@jobzhao15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Skill name/description match the delivered files: scripts record tokens, compute cost based on pricing.json, store stats and produce reports. However, some code uses a user-specific absolute path (/Users/jobzhao/...) to load config which is inconsistent with other parts that use relative paths or $HOME — this is likely a leftover developer artifact and reduces portability.
Instruction Scope
Runtime instructions and scripts operate locally: they read/write JSON stats under $HOME/.openclaw/workspace/memory/activity, read config/pricing.json and threshold.json, and generate reports. They do not make network calls or request secrets. Scope stays within cost-tracking functionality, but several examples and a code path hardcode /Users/jobzhao which is out-of-scope for a general skill and may cause unexpected behavior.
Install Mechanism
No install spec (instruction-only with included scripts). Nothing is downloaded from external URLs and no packages are installed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It only reads/writes files under the user's HOME workspace directory. This is proportional to its purpose. Note: the hardcoded path bypasses $HOME in one code path, which could unintentionally read another user's files if that path exists.
Persistence & Privilege
always:false and no modifications to other skills or global agent config. The scripts persist only their own JSON stats and backups under the user's workspace — expected for this task.
What to consider before installing
This skill is largely coherent with its stated purpose — it records token counts and computes costs locally and does not request secrets or network access. Before installing or running: 1) Inspect and fix the hardcoded absolute path (/Users/jobzhao/...) in get_model_pricing (and any examples) so the script uses SCRIPT_DIR or $HOME instead; otherwise it may fail or read/write the wrong location. 2) Note sed -i '' usage (macOS-specific) — on Linux this may fail; adapt to portable sed usage. 3) Verify the storage location (~/.openclaw/workspace/memory/activity) and permissions, and back up any existing cost-stats.json before running reset. 4) If you plan to enable automated cron/HEARTBEAT entries, update example paths to your user account and confirm no unintended commands are scheduled. If you are not comfortable editing scripts, treat this as suspicious until the hardcoded paths and portability issues are fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ccvpf8ntebsy91c0ysphah846kax

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments