LLM Cost Watchdog

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LLM cost-tracking skill that keeps local usage metadata and uses optional monitoring hooks for its stated purpose.

Install only if you want LLM cost monitoring across the chosen scope. Expect local files under ~/.cost-watchdog, optional reads from OpenClaw/Claude session logs, and live pricing lookups. Avoid sending secrets to validate-tokens, and enable install_global_capture only in processes where broad LLM response metadata capture is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The README states the skill auto-activates on broad conditions such as any detected LLM API calls, loop patterns, or general cost/budget discussions. Overly broad triggers can cause the skill to run in unintended contexts, leading to surprise behavior, noisy interventions, or analysis of unrelated code and conversations. In an agent environment, unnecessary automatic activation can also expand the skill's effective privilege and increase the chance of workflow interference.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill declares very broad activation criteria such as any mention of cost, budget, tokens, LLM API calls, agent workflows, or batch processing. In an agent environment, this can cause the skill to activate in many unrelated contexts, increasing the chance of unreviewed side effects such as file writes, network access, or command suggestions being invoked unexpectedly.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The markdown trigger list repeats ambiguous, high-recall activation rules without concrete scope constraints. Because this skill is capable of observing sessions, reading logs, and recommending execution of local scripts, overly permissive activation increases the risk of unnecessary invocation and data exposure in contexts where the user did not intend cost monitoring.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code globally monkey-patches httpx transport handlers to inspect all requests and responses to known LLM providers, effectively intercepting network traffic process-wide without any consent, warning, scoping, or opt-in audit trail. Even though it appears intended for telemetry, this kind of capture can expose sensitive prompts, model identifiers, endpoints, and usage metadata across unrelated components in the same process, making it a real privacy and monitoring risk.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script persistently duplicates data derived from OpenClaw session logs into a second local usage log without any user-facing disclosure, consent flow, or minimization controls. Even though the code appears focused on token/cost accounting rather than full transcript export, it still tails assistant message metadata from session files and creates an additional durable record, which increases privacy exposure and retention risk if the host is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The module persistently records LLM call metadata to ~/.cost-watchdog/usage.jsonl without any built-in consent prompt, disclosure mechanism, or opt-in control shown here. Even if it logs usage rather than full prompts, model names, token counts, providers, session identifiers, stop reasons, and timing-associated metadata can reveal sensitive user behavior, project activity, or cross-session linkage when stored long-term.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code persists per-call usage records to disk in a user home directory, including `session_id` and an unconstrained `extra` dictionary, without any minimization, redaction, retention control, or explicit consent mechanism. While this appears intended for cost tracking rather than abuse, it can expose sensitive identifiers or metadata if other components place secrets, prompts, or personal data into `extra`, and the plaintext log may be readable by local users, backups, or support tooling.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code performs external model API calls inside a while True loop with no exit condition, rate limit, budget cap, or user disclosure. This can cause uncontrolled billing, service abuse, runaway resource consumption, and potentially a denial of wallet or operational disruption if triggered.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The function sends file.content to an external API without any visible warning, consent, or filtering, which can expose sensitive source code or embedded secrets to a third party. The missing max_tokens also increases cost unpredictability, but the primary security issue here is undisclosed exfiltration of file contents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal