Balance Checker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: balance-checker Version: 1.0.0 The OpenClaw skill 'balance-checker' is designed to query API balances for DeepSeek, Moonshot, and Volcengine. It retrieves API keys/secrets from environment variables or the local OpenClaw configuration file (`~/.openclaw/openclaw.json`), which is a standard and expected method for such skills. The `check_balance.sh` script uses `curl` to interact with legitimate API endpoints (api.deepseek.com, api.moonshot.cn) and executes `query_balance.py` for Volcengine, which in turn uses the official `volcengine-python-sdk`. The `setup_volcengine.sh` script correctly sets up a Python virtual environment and installs the necessary SDK. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `README.md` that would subvert the agent's intended behavior. All actions are clearly aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the skill can use your provider credentials to read billing/balance information for the configured accounts.
The skill can read local OpenClaw configuration files to obtain Volcengine credentials. This is purpose-aligned and bounded to named credential keys, but it is still sensitive account access.
config_paths = [home / ".openclaw" / "openclaw.json", home / ".openclaw" / "clawdbot.json"] ... access_key = env_config.get('VOLCENGINE_ACCESS_KEY')Use only the provider keys you want this skill to access, prefer least-privilege/read-only billing credentials where available, and avoid placing unrelated secrets in config files accessible to skills.
Running the optional setup may install whatever current SDK version is available and may fail or behave inconsistently because the referenced helper filenames are absent.
The optional setup installs an unpinned Python dependency and references helper scripts that are not included in the manifest. This is related to the stated Volcengine feature, but users should be aware of dependency provenance and setup consistency.
pip install --upgrade pip pip install volcengine-python-sdk chmod +x volcengine_balance.sh chmod +x setup.sh
Review the setup script before running it, consider pinning the SDK version, and fix or remove stale references to missing helper scripts.