Balance Checker
v1.0.0查询 AI API 服务商的余额(DeepSeek、Moonshot/Kimi、火山引擎)。当用户说"查余额"、"还有多少额度"、"余额多少"时自动触发。
⭐ 1· 1.6k·3 current·3 all-time
by@kyya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the files and runtime behavior: check_balance.sh queries DeepSeek and Moonshot via their REST endpoints and query_balance.py queries Volcengine via the Python SDK. One inconsistency: registry metadata lists no required environment variables, but SKILL.md and the scripts clearly expect DEEPSEEK_API_KEY, MOONSHOT_API_KEY, VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY.
Instruction Scope
SKILL.md instructs running setup_volcengine.sh and adding keys to ~/.openclaw/openclaw.json or environment variables. The scripts implement only the stated actions: call provider APIs and read credentials from env or from OpenClaw config (~/.openclaw/openclaw.json or clawdbot.json). Reading the OpenClaw config is expected for convenience, but it means the skill will access a local config file — reviewers should be aware it inspects that file to extract VOLCENGINE_* keys.
Install Mechanism
No registry install spec; the included setup_volcengine.sh creates a venv and pip-installs volcengine-python-sdk from PyPI — a standard, low-risk pattern. Minor oddities: setup_volcengine.sh attempts chmod on files (volcengine_balance.sh, setup.sh) that are not present in the package, which appears to be an authoring bug rather than malicious behavior.
Credentials
The skill requests only provider-specific credentials (DeepSeek, Moonshot, Volcengine), which are appropriate for querying balances. However, the package metadata did not declare required env vars while the SKILL.md and scripts do; also query_balance.py will read ~/.openclaw/openclaw.json if env vars are absent (it only looks for VOLCENGINE_ACCESS_KEY/SECRET). Storing secrets in the shared OpenClaw config is a usability trade-off — users should ensure that file's permissions are secure.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system privileges. It installs a local venv under the skill directory and does not modify other skills or global agent settings. The skill can be invoked autonomously by the agent (platform default), which is consistent with its function.
Assessment
This skill appears to do what it says: it queries provider APIs and (for Volcengine) uses a local Python SDK. Before installing:
- Confirm you are comfortable storing VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY either as environment variables or in ~/.openclaw/openclaw.json (ensure that file is readable only by you).
- Review the scripts (check_balance.sh, query_balance.py, setup_volcengine.sh) yourself; they call only the documented provider endpoints and pip-install the Volcengine SDK into a local venv.
- Run setup_volcengine.sh manually in a controlled shell to see what it installs; it installs packages from PyPI (volcengine-python-sdk) into a venv — do this if you trust that package.
- Note small authoring bugs (setup script chmods non-existent files, registry metadata omits required env vars) — these are likely mistakes, not malicious behavior, but verify the repository source if you require higher assurance.
If you are uncertain about any of the upstream packages (e.g., volcengine-python-sdk), test the skill in an isolated environment or container before adding real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97ba62vsa85kk1d5hnmww6jkh80hnsb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.