warn
suspicious.destructive_delete_command
- Location
- README.md:155
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Revenium Budget Enforcement
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent may refuse or delay normal tasks based on the budget-status file.
Why it was flagged
The skill intentionally changes the agent's stopping conditions and applies them globally. This is aligned with the stated budget-enforcement purpose, but users should understand it can block unrelated work.
Skill content
MANDATORY — execute before EVERY response, EVERY tool call, EVERY operation. This applies to ALL tasks — not just Revenium-related ones.
Recommendation
Install only if you want Revenium budget checks to govern all agent activity, not just Revenium-related commands.
What this means
Skill commands may run with less interactive approval than the user expects.
Why it was flagged
The install flow lowers tool-approval friction for skill-declared binaries. That may be necessary for automation, but it broadens command execution authority beyond a simple passive budget check.
Skill content
Enable `autoAllowSkills` in `~/.openclaw/exec-approvals.json` so skill-declared binaries are auto-approved
Recommendation
Keep auto-approval as narrow as possible, document exactly which binaries are auto-approved, and let users opt out of this configuration.
What this means
A compromised or over-capable agent session could read Revenium account credentials/configuration from the sandbox.
Why it was flagged
The setup exposes the host Revenium CLI credential/config directory to the agent sandbox and explicitly bypasses a credential-path bind restriction. It is read-only and purpose-related, but still high-impact credential access.
Skill content
REVENIUM_CONFIG_DIR="${HOME}/.config/revenium" ... BIND_ENTRIES+=("${REVENIUM_CONFIG_DIR}:${REVENIUM_CONFIG_DIR}:ro") ... requires dangerouslyAllowExternalBindSourcesRecommendation
Use least-privilege Revenium tokens, prefer scoped environment injection over mounting credential directories, and clearly declare this credential access before install.
What this means
Private conversations, secrets pasted into chats, and sensitive generated output may be sent to Revenium automatically.
Why it was flagged
The reporter sends prompt/message/response text to the Revenium CLI, not just token counts. README.md also describes shipping user input, assistant response, and system prompt to Revenium.
Skill content
cmd+=(--system-prompt "${system_prompt}") ... cmd+=(--input-messages "${input_messages}") ... cmd+=(--output-response "${output_response}")Recommendation
Default to sending token metadata only, add explicit opt-in for content capture, and provide redaction/exclusion controls.
What this means
Conversation content may be retained in metering logs as well as sent to Revenium.
Why it was flagged
The script processes the main agent session history and, on reporting failure, logs the full command that can include prompt and response arguments. This creates additional local retention of sensitive context.
Skill content
SESSIONS_DIR="${OPENCLAW_HOME}/agents/main/sessions" ... warn "Command: ${cmd[*]}"Recommendation
Avoid logging full commands containing prompts/responses; redact or hash sensitive fields before writing logs.
Concern
ASI10: Rogue AgentsWhat this means
Budget-enforcement instructions or elevated sandbox settings may continue affecting the agent after the user thinks the skill is removed.
Why it was flagged
The skill persists global agent behavior outside a single invocation. The uninstall section shown removes the cron and skill directory, but does not clearly state that AGENTS.md and sandbox/approval changes are reverted.
Skill content
Inject a mandatory budget check section into `AGENTS.md` so budget enforcement is always in context
Recommendation
Provide a complete uninstall/rollback script that removes AGENTS.md injections, sandbox mounts, auto-approval changes, cron entries, logs, and generated config.
What this means
Users may install with --force without fully reviewing the sensitive permissions and data flows.
Why it was flagged
The documentation encourages bypassing a security warning and assures safety, despite the artifacts showing high-impact credential, telemetry, persistence, and sandbox changes.
Skill content
This is a false positive ... The skill is open source and safe to install. The `--force` flag bypasses this warning.
Recommendation
Avoid blanket safety claims; explain the exact warning, permissions, data sent, and tradeoffs so users can make an informed choice.