Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Agent Cost Optimization Cookbook: Cut Your Agent Bills by 60% Without Sacrificing Quality
v1.3.1AI Agent Cost Optimization Cookbook: Cut Your Agent Bills by 60% Without Sacrificing Quality. Practical recipes for reducing AI agent operational costs. Cove...
⭐ 0· 94·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and large SKILL.md are coherent with a cost-optimization cookbook (working code examples, chapters on model routing, observability, etc.). However, requiring WALLET_ADDRESS (declared as the primary credential) is not explained by the stated purpose and is disproportionate for a documentation/guide artifact.
Instruction Scope
SKILL.md explicitly states it is an educational guide that does not execute code or install dependencies and uses the GreenHelix sandbox (no API key). The instructions appear limited to examples and guidance rather than autonomously reading system files or performing actions — based on the provided excerpt there is no instruction to exfiltrate data. Full file was truncated, so this is based on available content.
Install Mechanism
No install specification and no code files — instruction-only. This is the lowest-risk install surface because nothing is written or executed automatically.
Credentials
Requiring WALLET_ADDRESS (primaryEnv) for a static cookbook is unexpected. The SKILL.md claims the wallet address is a public payment address only, but the registry declaring it as a required credential is disproportionate. A documentation-only skill should not require any environment credential by default. It's unclear whether the skill will read that env var at runtime or propagate it elsewhere.
Persistence & Privilege
The skill is not forced-always and does not request persistent or elevated privileges. It is user-invocable and allows autonomous invocation (platform default) but there is no evidence it modifies other skills or system-wide settings.
What to consider before installing
Do not supply private keys or secrets. Before installing or enabling this skill: 1) Ask the publisher why WALLET_ADDRESS is required and how it will be used; a cookbook should not need credentials. 2) If you must provide a wallet address, only provide a public receiving address — never private keys or seed phrases. 3) Inspect the full SKILL.md locally (search for any code that reads env vars, makes network calls, or posts the wallet address to external endpoints) and confirm there are no instructions that transmit credentials. 4) Prefer running any provided code examples in an isolated environment or sandbox. 5) If the author cannot justify the WALLET_ADDRESS requirement, decline installation or request a version that does not require any environment variables. If you can share the full SKILL.md, I can re-check for instructions that reference the wallet or network endpoints and raise confidence.Like a lobster shell, security has layers — review code before you run it.
agent-operationsvk97bgj3p215qpxnepyg3cks05184w6jjai-agentvk97bgj3p215qpxnepyg3cks05184w6jjcost-optimizationvk97bgj3p215qpxnepyg3cks05184w6jjfinopsvk97bgj3p215qpxnepyg3cks05184w6jjgreenhelixvk97bgj3p215qpxnepyg3cks05184w6jjguidevk97bgj3p215qpxnepyg3cks05184w6jjlatestvk97bgj3p215qpxnepyg3cks05184w6jjmeteringvk97bgj3p215qpxnepyg3cks05184w6jjmodel-routingvk97bgj3p215qpxnepyg3cks05184w6jjobservabilityvk97bgj3p215qpxnepyg3cks05184w6jjopenclawvk97bgj3p215qpxnepyg3cks05184w6jj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvWALLET_ADDRESS
Primary envWALLET_ADDRESS