LLM Cost Guard
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may keep running daily and change its stored cost data even when the user is not actively invoking it.
This describes persistent scheduled activity after installation, including sending reports and mutating/resetting stored counters, but the artifacts do not provide clear user approval, removal, or containment details.
The skill auto-installs a daily cron job to: 1. Send a morning spend summary 2. Alert if yesterday's spend exceeded budget 3. Reset daily counters at midnight UTC
Require explicit opt-in before creating any cron job, document exactly what it runs, and provide a clear disable/remove command.
Usage and spending information could be sent to third-party chat services under unclear conditions, or the user may rely on a privacy claim that conflicts with the alerting feature.
The skill claims external chat delivery for reports while also claiming no external services. Reports can include user identifiers, model names, token counts, and spend, but the artifacts do not define destination, credentials, consent, or data boundaries.
**Daily spend reports** — delivered via WhatsApp/Telegram/Discord ... All data stored locally at `~/.openclaw/workspace/llm-cost-guard-data.json`. No external services. No telemetry.
Clarify whether external delivery is implemented, make it opt-in, declare required credentials/configuration, and state exactly what report data is sent and where.
Anyone with access to the local data file may learn which models were used, approximate activity patterns, spending, and user identifiers.
The skill stores a persistent local ledger of LLM usage, including model, tokens, cost, timestamp, and optional user identifier. This is expected for the stated purpose, but it is still sensitive operational history.
const DATA_PATH = path.join(os.homedir(), '.openclaw', 'workspace', 'llm-cost-guard-data.json'); ... data.entries.push({ date: todayStr(), ts: new Date().toISOString(), model, inputTokens, outputTokens, cost, user, });Keep the data file protected, avoid logging sensitive user identifiers, and document retention/reset behavior clearly.