Clawhub Skill Llm Cost Guard
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could wrongly rely on this skill to prevent overspending when the provided artifacts do not demonstrate actual request blocking.
This is a high-assurance financial safety claim, but the provided install metadata has no hooks, proxy setup, provider credentials, or integration mechanism for intercepting LLM calls, and the visible code primarily implements local logging/status/reporting.
**Budget enforcement** — blocks requests when daily/monthly budgets are exceeded
Do not rely on this as an enforcement control until the skill clearly documents and provides the LLM-call interception mechanism and shows how blocking is applied.
A user may misunderstand whether spending reports or usage metadata leave the local machine.
The documentation simultaneously describes reports delivered through external messaging services and claims there are no external services, which gives users an unclear privacy and data-flow expectation.
**Daily spend reports** — delivered via WhatsApp/Telegram/Discord ... All data stored locally ... No external services. No telemetry.
Clarify whether external notification services are used, what data is sent, and what credentials or user approval are required.
The skill may continue running scheduled actions after installation, including sending reports or resetting counters, in ways the user may not expect.
This describes persistent scheduled behavior, but the registry says there is no install spec and the artifacts do not clearly show user opt-in, exact cron contents, or cleanup instructions.
The skill auto-installs a daily cron job to: 1. Send a morning spend summary ... 3. Reset daily counters at midnight UTC
Require explicit user approval for cron installation, document the exact scheduled command, and provide a clear uninstall/removal step.
Local usage logs can reveal who used which models and how much they spent, even though this is aligned with the skill's purpose.
The visible code persistently records LLM usage metadata, including model names, token counts, cost, timestamps, and optional user identifiers.
data.entries.push({ date: todayStr(), ts: new Date().toISOString(), model, inputTokens, outputTokens, cost, user });Use non-sensitive user identifiers where possible and protect or periodically clear the local data file if the usage history is sensitive.