ClawHub
Back to skill
v1.0.0

Api Cost Optimizer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

This skill appears to be a read-only local cost analysis tool, with minor transparency issues around local config access and an undeclared utility dependency.

GuidanceThis skill looks safe for its stated purpose: it performs local, read-only cost estimates. Before installing, note that it inspects your local OpenClaw configuration and depends on local shell utilities, including bc even though that dependency is not declared.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/analyze.sh
HB_CALLS_DAY=$(echo "86400 / $HEARTBEAT_INTERVAL" | bc)

The scripts rely on the bc command for calculations, but the declared required binaries list only curl and python3. This is an incomplete dependency declaration rather than evidence of malicious behavior.

User impactThe scripts may fail or behave inconsistently on systems without bc installed.
RecommendationVerify required local utilities before running the scripts; maintainers should declare bc and remove unused requirements such as curl if not needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/heartbeat_diagnosis.sh
CONFIG_FILE="${HOME}/.openclaw/openclaw.json" ... AGENT_CONFIG="${HOME}/.openclaw/agents/*/agent.json"

The script reads local OpenClaw configuration and agent configuration files to detect heartbeat settings. This is purpose-aligned and read-only, but users should be aware it inspects local agent configuration.

User impactThe skill can learn basic details about your local OpenClaw setup, such as heartbeat settings and configured tools, but the provided code does not show credential use, file modification, or external transmission.
RecommendationRun it only if you are comfortable with the skill inspecting your local OpenClaw configuration, and review outputs before sharing them.