Revenium Budget Enforcement
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is coherently a budget-enforcement tool, but it grants broad persistent control, exposes local Revenium credentials to the sandbox, and automatically reports conversation content to Revenium.
Review this skill carefully before installing. It is not just a local budget reminder: it can change OpenClaw configuration, install a background cron job, expose Revenium credentials to the sandbox, and report conversation content to Revenium. Only use it with least-privilege Revenium credentials, avoid pasting secrets into agent chats, and verify you can fully revert its AGENTS.md, sandbox, approval, cron, and log changes.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse or delay normal tasks based on the budget-status file.
The skill intentionally changes the agent's stopping conditions and applies them globally. This is aligned with the stated budget-enforcement purpose, but users should understand it can block unrelated work.
MANDATORY — execute before EVERY response, EVERY tool call, EVERY operation. This applies to ALL tasks — not just Revenium-related ones.
Install only if you want Revenium budget checks to govern all agent activity, not just Revenium-related commands.
Skill commands may run with less interactive approval than the user expects.
The install flow lowers tool-approval friction for skill-declared binaries. That may be necessary for automation, but it broadens command execution authority beyond a simple passive budget check.
Enable `autoAllowSkills` in `~/.openclaw/exec-approvals.json` so skill-declared binaries are auto-approved
Keep auto-approval as narrow as possible, document exactly which binaries are auto-approved, and let users opt out of this configuration.
A compromised or over-capable agent session could read Revenium account credentials/configuration from the sandbox.
The setup exposes the host Revenium CLI credential/config directory to the agent sandbox and explicitly bypasses a credential-path bind restriction. It is read-only and purpose-related, but still high-impact credential access.
REVENIUM_CONFIG_DIR="${HOME}/.config/revenium" ... BIND_ENTRIES+=("${REVENIUM_CONFIG_DIR}:${REVENIUM_CONFIG_DIR}:ro") ... requires dangerouslyAllowExternalBindSourcesUse least-privilege Revenium tokens, prefer scoped environment injection over mounting credential directories, and clearly declare this credential access before install.
Private conversations, secrets pasted into chats, and sensitive generated output may be sent to Revenium automatically.
The reporter sends prompt/message/response text to the Revenium CLI, not just token counts. README.md also describes shipping user input, assistant response, and system prompt to Revenium.
cmd+=(--system-prompt "${system_prompt}") ... cmd+=(--input-messages "${input_messages}") ... cmd+=(--output-response "${output_response}")Default to sending token metadata only, add explicit opt-in for content capture, and provide redaction/exclusion controls.
Conversation content may be retained in metering logs as well as sent to Revenium.
The script processes the main agent session history and, on reporting failure, logs the full command that can include prompt and response arguments. This creates additional local retention of sensitive context.
SESSIONS_DIR="${OPENCLAW_HOME}/agents/main/sessions" ... warn "Command: ${cmd[*]}"Avoid logging full commands containing prompts/responses; redact or hash sensitive fields before writing logs.
Budget-enforcement instructions or elevated sandbox settings may continue affecting the agent after the user thinks the skill is removed.
The skill persists global agent behavior outside a single invocation. The uninstall section shown removes the cron and skill directory, but does not clearly state that AGENTS.md and sandbox/approval changes are reverted.
Inject a mandatory budget check section into `AGENTS.md` so budget enforcement is always in context
Provide a complete uninstall/rollback script that removes AGENTS.md injections, sandbox mounts, auto-approval changes, cron entries, logs, and generated config.
Users may install with --force without fully reviewing the sensitive permissions and data flows.
The documentation encourages bypassing a security warning and assures safety, despite the artifacts showing high-impact credential, telemetry, persistence, and sandbox changes.
This is a false positive ... The skill is open source and safe to install. The `--force` flag bypasses this warning.
Avoid blanket safety claims; explain the exact warning, permissions, data sent, and tradeoffs so users can make an informed choice.