ai-quota-check
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-quota-check Version: 1.0.1 The skill is classified as suspicious due to the use of `child_process.execSync` in `index.js` and a prompt injection instruction in `SKILL.md`. While `execSync` is currently used with hardcoded, seemingly benign commands (`codex exec` and `sleep`) for refreshing local quota data, it is a powerful primitive that introduces a significant risk of shell injection if the command string were ever to incorporate unsanitized user input. Additionally, `SKILL.md` explicitly instructs the OpenClaw agent to "display the script output EXACTLY as-is," which is a prompt injection vector, bypassing the agent's potential summarization or filtering and allowing any malicious output from the script to be directly presented or acted upon by the agent. The skill also accesses sensitive local files (`~/.openclaw/agents/main/agent/auth-profiles.json`, `~/.codex/sessions/`) but does not show evidence of exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and running the skill may let it use locally stored provider login credentials to query Antigravity or GitHub Copilot account/quota APIs.
The script reads the user's local OpenClaw auth profile file and contains provider API calls using bearer tokens, while the registry declares no primary credential, env var, or required config path.
const AUTH_FILE = path.join(process.env.HOME, '.openclaw/agents/main/agent/auth-profiles.json'); ... JSON.parse(fs.readFileSync(AUTH_FILE, 'utf8')); ... 'Authorization': `Bearer ${token}`Only install if you are comfortable with it reading local auth profiles. The skill should explicitly declare the auth/config files it reads, list which provider tokens it uses, and avoid accessing unrelated profiles.
A quota check can silently make a Codex request using the user's account, potentially consuming quota and changing local Codex session files.
The script automatically runs the local Codex CLI whenever it refreshes Codex quota data, rather than only reading an existing quota endpoint or asking for explicit confirmation.
execSync('codex exec --skip-git-repo-check "reply OK"', { cwd: process.env.HOME, stdio: 'ignore', timeout: 60_000 }); ... // Always refresh Codex rate limits by issuing a tiny Codex request first.The skill should clearly disclose this behavior, provide an opt-out or cached-only mode, and avoid automatic provider calls unless the user explicitly agrees.
The skill may open recent Codex session logs on your machine, even though it appears to extract only rate-limit fields.
The code reads local Codex session JSONL files to extract rate-limit events. This is purpose-aligned for quota checking, but session files can contain sensitive conversation context and the SKILL.md does not disclose this local data access.
const CODEX_SESSIONS_DIR = path.join(process.env.HOME, '.codex', 'sessions'); ... const text = fs.readFileSync(filePath, 'utf8'); ... if (payload?.type === 'token_count' && payload?.rate_limits)
The skill should document the exact session path it reads, minimize parsing to only needed records, and state that it does not display or transmit conversation contents.