glm-plan-usage

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill appears purpose-aligned for checking GLM usage, but it reads your OpenClaw GLM API key and should only be installed from a source you trust.

Before installing, verify the repository/source and review the shell script. Expect it to require curl and jq, read ~/.openclaw/openclaw.json for your GLM API key, and send that key to open.bigmodel.cn usage-monitoring endpoints. If you add the optional cron job, remember it will keep running hourly and writing ~/.glm-usage.log until you remove it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The skill can use your configured GLM API credential to query account usage information.

Why it was flagged

The script reads a provider API key from the local OpenClaw configuration and uses it in an Authorization header for the GLM usage API.

Skill content

readonly OPENCLAW_CONFIG="${HOME}/.openclaw/openclaw.json" ... api_key=$(jq -r ".models.providers.\"$provider\".apiKey // empty" "$config" ... ) ... -H "Authorization: $API_KEY"

Recommendation

Install only from a trusted source, inspect the script before first use, and use the least-privileged GLM key available if the provider supports scoped keys.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If a user follows the placeholder or an untrusted repository URL, they may install and run different shell code than the reviewed artifact.

Why it was flagged

The manual installation instructions include cloning a repository placeholder and making a shell script executable; this is not automatic, but provenance should be verified.

Skill content

git clone https://github.com/USERNAME/openclaw-glm-plan-usage.git ... chmod +x ~/.openclaw/skills/glm-plan-usage/scripts/query-usage.sh

Recommendation

Use a verified repository or registry package, confirm the URL and owner, and review scripts/query-usage.sh after download before running it.

Low

#ASI10: Rogue Agents

What this means

If enabled, the skill would periodically query usage and write output to a local log file.

Why it was flagged

The documentation suggests an optional recurring cron job, which would continue running hourly until the user removes it.

Skill content

Consider setting up a cron job to periodically check usage: ... 0 * * * * bash ~/.openclaw/skills/glm-plan-usage/scripts/query-usage.sh >> ~/.glm-usage.log

Recommendation

Only add the cron job if you want recurring checks, protect the log file if usage data is sensitive, and remove the cron entry when no longer needed.