ClawHub

Token Ledger (SQLite)

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw usage and cost ledger with an optional background watcher, and the sensitive behavior is disclosed and aligned with that purpose.

Use the one-shot backfill if you only need occasional reports. Install the LaunchAgent only if you want continuous local monitoring, inspect the rendered plist first, and treat ~/.openclaw/ledger.db as sensitive because it records your model usage and cost history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly performs filesystem reads and writes against sensitive user-scoped paths such as ~/.openclaw/ledger.db, ~/.openclaw/ledger-checkpoint.json, session JSONL files, and ~/Library/LaunchAgents, yet no permissions are declared. That mismatch can mislead operators or policy engines about the skill's true capabilities and reduce informed consent around local data access and modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The watcher continuously ingests local session JSONL files and persists usage metadata into a separate SQLite ledger and checkpoint file under ~/.openclaw. Even if the primary purpose is accounting, this creates an additional durable store of potentially sensitive behavioral metadata such as model usage, timestamps, session identifiers, and raw usage records, without any visible consent, disclosure, retention control, or access-hardening in this script. In a ledger/auditing skill, this behavior is expected, but the audit-grade and daemonized nature of the tool makes the privacy risk more concrete rather than less dangerous.

Session Persistence

Medium
Category
Rogue Agent
Content
Skill scripts:
- `scripts/ledger_watcher.py` — watcher daemon (supports `--once`)
- `scripts/ledger_schema.sql` — DDL
- `scripts/com.openclaw.token-ledger-watcher.plist` — LaunchAgent template

## Standard operations (use exec)
Confidence
88% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
### 2) Install / start daemon (macOS LaunchAgent)

This renders the plist with your local `$HOME` (no hard-coded username paths):

```bash
python3 ~/.openclaw/workspace/skills/token-ledger/scripts/render_plist.py \
Confidence
94% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
This renders the plist with your local `$HOME` (no hard-coded username paths):

```bash
python3 ~/.openclaw/workspace/skills/token-ledger/scripts/render_plist.py \
  > ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl list | rg token-ledger-watcher
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
python3 ~/.openclaw/workspace/skills/token-ledger/scripts/render_plist.py \
  > ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl list | rg token-ledger-watcher
```
Confidence
96% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
python3 ~/.openclaw/workspace/skills/token-ledger/scripts/render_plist.py \
  > ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl list | rg token-ledger-watcher
```
Confidence
95% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
python3 ~/.openclaw/workspace/skills/token-ledger/scripts/render_plist.py \
  > ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.token-ledger-watcher.plist
launchctl list | rg token-ledger-watcher
```
Confidence
95% confidence
Finding
plist

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal