ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Cost Optimizer

v1.0.0

Analyze OpenClaw agent configuration and API usage patterns to identify cost-saving opportunities. Diagnose inefficient heartbeat configs, estimate daily/wee...

0· 65·0 current·0 all-time
by@kryzl19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with its actions: the scripts read OpenClaw config files under ${HOME}/.openclaw, count skills, estimate heartbeat and task costs, and emit recommendations. However, SKILL.md and scripts disagree on the default provider (SKILL.md defaults API_COST_MODEL to 'openai' while analyze.sh defaults to 'minimax'), and the metadata declares 'curl' as a required binary even though none of the scripts invoke curl. These are incoherences (likely sloppy engineering) but not necessarily malicious.
Instruction Scope
The SKILL.md instructs running the included scripts; the scripts' runtime behavior matches those instructions. The scripts only read user-home OpenClaw configuration paths (~/.openclaw/openclaw.json, ~/.openclaw/agents/*/agent.json and workspace/skills) and do not transmit data externally. They parse JSON with python3 and perform local arithmetic and reporting.
Install Mechanism
No install spec is present (instruction-only with bundled scripts). Nothing is downloaded or installed by the skill itself, which minimizes supply-chain risk. Scripts are executed locally by the agent when invoked.
Credentials
No credentials or secret environment variables are required. Several optional env vars are documented (e.g., API_COST_MODEL, HEARTBEAT_INTERVAL), which is reasonable. Still, the scripts' defaults conflict with SKILL.md (openai vs minimax), so intended default behavior may be unclear and should be confirmed before use.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide agent settings. Scripts only read files; they don't write to system or agent configs.
What to consider before installing
This skill appears to implement a useful local cost analysis tool, but review and test before trusting it on production agents. Specifically: (1) inspect the three scripts yourself (they are plain bash/python and only read files under $HOME/.openclaw), (2) note the oddities — SKILL.md lists curl as required though curl is unused, and analyze.sh defaults to 'minimax' while SKILL.md claims 'openai' as the default — clarify which provider you expect, (3) the scripts contain a bug/typo (an undefined variable TOOL_CALLS_DAY is referenced) that may cause the analyzer to fail due to set -e; fix or test in a safe environment first, (4) run the scripts as a non-privileged user and on a copy of your OpenClaw config or in a sandbox to confirm outputs, and (5) do not expect any network exfiltration from these scripts, but always review and run them offline if you have sensitive configuration data.

Like a lobster shell, security has layers — review code before you run it.

latestvk972w3chq6nn1x8tb0g3adddbh83ktvg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, python3

Comments