Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Billing Monitor
v1.0.2Monitor for API billing errors and alert the owner and admin immediately. Use when: an API billing error is detected, a peer PA reports a billing error, or d...
⭐ 0· 58·1 current·1 all-time
byNetanel Abergel@netanel-abergel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to monitor billing and alert/auto-switch models — that purpose legitimately requires provider API keys (OpenAI/Anthropic/Google), notification targets (owner/admin phones or channels), and a fallback config. However the registry metadata lists no required env vars, no required config paths, and no primary credential. This is inconsistent: the instructions clearly depend on ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, OWNER_PHONE/ADMIN_PHONE (or a sourced context file) and config/billing-fallback.json.
Instruction Scope
The SKILL.md tells the agent to source /opt/ocana/openclaw/workspace/skills/billing-monitor/.context (which may contain sensitive secrets), to check several environment variables for provider keys, to run curl against provider APIs, to call `openclaw config set model` (modifying agent config), and to write logs under $HOME/.openclaw. Sourcing an absolute /opt path and modifying agent configuration are beyond what a minimal 'notification' skill should do and are not reflected in declared requirements.
Install Mechanism
Instruction-only skill with no install spec and no code files. This reduces supply-chain risk because nothing new is downloaded or written by an installer. The runtime actions still read/write local files and run commands, but there is no separate install mechanism to evaluate.
Credentials
The skill will access multiple sensitive env vars (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY) and expects notification contact info (OWNER_PHONE, ADMIN_PHONE) and a fallback config file. Those are proportionate to the stated purpose, but the metadata does not declare them — the skill does not advertise it needs these credentials. Also the health-check script reads provider keys from the environment and will perform network calls using them, which should be explicitly declared.
Persistence & Privilege
always:false (normal) and autonomous invocation allowed (default). The skill instructs modifying the agent's model setting via `openclaw config set model` (its own agent config), which can be reasonable for an auto-fallback, but combined with the undocumented sourcing of /opt/.../.context and reading of env vars it increases the blast radius. No evidence the skill tries to persist beyond its own config (no 'always:true' or other privilege escalation), but clarify the scope of the context file and confirm this skill only writes its own logs/config.
What to consider before installing
Before installing, ask the publisher to: (1) update the skill metadata to list all required environment variables and config paths (provider API keys, owner/admin contacts, billing-fallback.json, any .context file path); (2) explain why the skill needs to source /opt/ocana/.../.context and what data that file contains (avoid sourcing arbitrary system-wide files with secrets); (3) confirm that `openclaw` is available on the target system and document what `openclaw config set model` changes and whether it affects other agents; (4) Restrict who can run the health-check cron and ensure logs/credentials are stored with least privilege; and (5) test in a sandboxed agent (no production credentials, use test keys) to verify behavior. If the publisher cannot justify the undocumented env vars and absolute paths, treat this as higher risk and do not install in production.Like a lobster shell, security has layers — review code before you run it.
latestvk9765bsvbm6p7t0kfvfjj26vrn847fdk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.