ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TrustMeImWorking

v1.0.0

Automatically consume your AI API token quota on a schedule so your usage metrics always look healthy. Supports work-simulation, spread, and immediate modes...

0· 39·0 current·0 all-time
byPENG TIANHAO@pengtianhao48-lab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binaries (python), and Python dependencies (openai, requests, rich) match the stated goal of making periodic API calls and showing a dashboard. The code files implement wizard, daemon, scheduler, engine and platform presets consistent with the description.
Instruction Scope
SKILL.md and the wizard instruct the user to store an API key in a local config.json and to optionally configure base_url, extra headers, HTTP proxy, JWT helper, and mTLS cert/key paths. The instructions do not ask the agent to read unrelated system files, but the runtime code will (optionally) execute a user-provided shell command (jwt_helper) and read user-supplied certificate/private key file paths — both are beyond simple API calling and grant access to local secrets if configured.
Install Mechanism
Install spec declares only standard Python packages (openai, requests, rich) via package manager; no downloads from arbitrary URLs or extract operations are present. This is proportionate to the tool's functionality.
Credentials
No environment variables are required by the registry metadata; the tool accepts an API key via config.json (expected). Optional features (jwt_helper, mtls_cert/mtls_key paths, extra_headers) legitimately support enterprise gateways, but they permit executing arbitrary shell commands and reading local private keys — powerful capabilities that can expose secrets if misused.
Persistence & Privilege
The skill runs as a persistent background daemon and can install legacy scheduler entries (crontab). Persistent background execution is consistent with the purpose (continuous token consumption) but increases blast radius if misconfigured. 'always' is false and the skill does not request privileged platform-level system modifications beyond creating config/log and scheduling itself.
Assessment
This project implements exactly what it claims — a background daemon that makes frequent LLM API calls to consume tokens. Before installing, consider: - Ethical/legal: It intentionally falsifies usage metrics; using it may violate workplace policies or local law. - Secrets risk: The tool stores your API key in config.json and supports mTLS key files and a jwt_helper shell command. jwt_helper runs arbitrary shell commands before each run and could leak secrets if you point it at an untrusted script; mTLS requires supplying a private key file path which, if readable by others, is sensitive. Only use these features on machines you fully control. - Gateway URL: You can set a custom base_url; ensure it points to a trusted endpoint. A malicious relay could capture your API key and requests. - Persistence: The daemon and optional scheduler make the behavior long-lived. If you stop using it, remove scheduled jobs and delete stored keys. Practical recommendations: review the repository locally before running; keep config.json permissions tight; do not supply jwt_helper commands you didn't author; do not point base_url to unknown third-party relays; avoid using company credentials if this would violate policy. If you want to proceed safely, run with --dry-run first and inspect logs, and consider using a disposable/low-privilege API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk971pnvxrcrprmnwnhmbtcetq584pxb1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binspython3
Any binpython3, python

Install

uv
Bins: rich
uv tool install rich
uvuv tool install openai
uvuv tool install requests

Comments