skill-usage
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: skill-usage Version: 1.0.3 The skill automates high-privilege operations including the installation of an external npm package (openclaw-skill-usage) and a gateway restart. It also configures data synchronization to a remote TiDB Cloud Zero instance, which constitutes a form of data exfiltration, even if limited to metadata as claimed. While the SKILL.md provides detailed privacy disclosures and requires user consent, the inherent risks of executing external code and transmitting system usage data to a third-party cloud service align with the criteria for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may cause OpenClaw to load code from an external package.
The setup adds external plugin code to the OpenClaw environment. This is disclosed and purpose-aligned, but it depends on the trustworthiness of the external package.
installs an external npm package (`openclaw-skill-usage`)
Install only if you trust the package and its source repository, and prefer the published package unless intentionally doing local development.
OpenClaw Gateway may restart and be temporarily unavailable during setup.
The skill instructs a local gateway restart as part of setup. This is expected for plugin installation and the artifact tells the agent to warn the user first.
Restarting the gateway is a privileged local operation.
Confirm the restart timing with the user before running the restart command.
If cloud sharing is enabled, usage patterns and labels may be stored remotely and shared across installations.
The skill describes an optional remote data flow for shared analytics. It lists intended synced fields such as skill names, installation labels, agent labels, channel labels, timestamps, status, and latency.
optionally enables cloud-backed usage analytics by writing usage metadata to a TiDB Cloud Zero instance
Use local-only analytics unless shared leaderboards are desired, and review labels/metadata before enabling TiDB Cloud sync.