LLM Cost Guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The local cost logging is plausible, but the skill describes automatic daily cron behavior and external chat reports without clear setup, consent, or removal details.
Review this skill before installing. The local token/cost ledger is expected for its purpose, but you should confirm whether it creates a cron job, how to disable it, and whether any reports are sent to WhatsApp, Telegram, or Discord. Avoid using sensitive user identifiers in logs unless you are comfortable storing and potentially reporting them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may keep running daily and change its stored cost data even when the user is not actively invoking it.
This describes persistent scheduled activity after installation, including sending reports and mutating/resetting stored counters, but the artifacts do not provide clear user approval, removal, or containment details.
The skill auto-installs a daily cron job to: 1. Send a morning spend summary 2. Alert if yesterday's spend exceeded budget 3. Reset daily counters at midnight UTC
Require explicit opt-in before creating any cron job, document exactly what it runs, and provide a clear disable/remove command.
Usage and spending information could be sent to third-party chat services under unclear conditions, or the user may rely on a privacy claim that conflicts with the alerting feature.
The skill claims external chat delivery for reports while also claiming no external services. Reports can include user identifiers, model names, token counts, and spend, but the artifacts do not define destination, credentials, consent, or data boundaries.
**Daily spend reports** — delivered via WhatsApp/Telegram/Discord ... All data stored locally at `~/.openclaw/workspace/llm-cost-guard-data.json`. No external services. No telemetry.
Clarify whether external delivery is implemented, make it opt-in, declare required credentials/configuration, and state exactly what report data is sent and where.
Anyone with access to the local data file may learn which models were used, approximate activity patterns, spending, and user identifiers.
The skill stores a persistent local ledger of LLM usage, including model, tokens, cost, timestamp, and optional user identifier. This is expected for the stated purpose, but it is still sensitive operational history.
const DATA_PATH = path.join(os.homedir(), '.openclaw', 'workspace', 'llm-cost-guard-data.json'); ... data.entries.push({ date: todayStr(), ts: new Date().toISOString(), model, inputTokens, outputTokens, cost, user, });Keep the data file protected, avoid logging sensitive user identifiers, and document retention/reset behavior clearly.