ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Cost Optimizer

v1.0.0

Analyze OpenClaw agent configuration and API usage patterns to identify cost-saving opportunities. Diagnose inefficient heartbeat configs, estimate daily/wee...

0· 55·0 current·0 all-time
by@kryzl19·duplicate of @kryzl19/api-cost-optimizer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with behavior: scripts parse ~/.openclaw configs, count skills, estimate costs and give recommendations — all consistent with cost analysis. Minor mismatch: 'curl' is declared as a required binary but none of the scripts actually call curl.
Instruction Scope
Runtime instructions and scripts stay within the stated scope: they read OpenClaw config files (~/.openclaw/openclaw.json and per-agent JSON), enumerate skill/workspace directories, compute cost estimates, and print recommendations. They do not make network calls or attempt to exfiltrate data.
Install Mechanism
No install spec or remote downloads are present. The skill is instruction-plus-scripts only, so nothing is fetched from external URLs during install.
Credentials
The skill requests no credentials and only uses optional env vars documented in SKILL.md (API_COST_MODEL, API_COST_INTERVAL, HEARTBEAT_INTERVAL, etc.). However, the scripts read arbitrary files under $HOME/.openclaw which could contain tokens or other sensitive config — this access is consistent with purpose but worth reviewing.
Persistence & Privilege
always:false and no modifications to other skills or global config. Scripts only read files and print reports; they do not persist new credentials or enable themselves.
What to consider before installing
This skill is overall coherent with its stated purpose — it inspects your OpenClaw config and estimates API costs — but before installing or running it, do the following: (1) Review the included shell scripts yourself (they run locally and read files under $HOME/.openclaw). (2) Note a small but important bug: analyze.sh references an undefined variable (TOOL_CALLS_DAY) which will break or produce incorrect tool-overhead calculations; expect some inaccurate outputs until fixed. (3) The package declares curl as required though scripts don't use it — likely a harmless mismatch but a sign of sloppy packaging. (4) Because the scripts read your OpenClaw config files, those files might include API keys or other secrets; run the scripts in a safe environment or inspect the files first if you are concerned about accidental logging or output. (5) There are no network calls in the code, so data should remain local — still verify by inspection. If you lack the expertise, ask the publisher to fix the code issues (undefined variable, remove unused required binaries) and confirm that no telemetry/exfiltration is intended before using on production hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk976n042cpgz6t4ya1qxs88ar183krgh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, python3

Comments