ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vibe Billing Scan

v1.0.0

Scan your OpenClaw logs to identify costly runs, sessions, retry storms, and looped tool calls driving your API bill higher, with no signup needed.

0· 119·0 current·0 all-time
by@shinertx

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shinertx/vibe-billing-scan.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Vibe Billing Scan" (shinertx/vibe-billing-scan) from ClawHub.
Skill page: https://clawhub.ai/shinertx/vibe-billing-scan
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install vibe-billing-scan

ClawHub CLI

Package manager switcher

npx clawhub@latest install vibe-billing-scan
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (scan local OpenClaw logs and proxy data) aligns with requiring a Node-based CLI (npx/vibe-billing). However the registry metadata you provided lists no required binaries while the SKILL.md header declares bins: [node, npx] — that mismatch is an inconsistency. Requesting node/npx is reasonable for a CLI tool, but the skill delegates execution to a remote npm package rather than shipping inspectable code.
!
Instruction Scope
Runtime instructions tell the user to run `npx vibe-billing scan` and optionally `npx vibe-billing setup` which installs a proxy. The SKILL.md does not limit which local files or paths will be read; a CLI run with npx can inspect arbitrary local logs, environment variables, and network traffic. The 'setup' step implies installing a persistent proxy that could intercept API requests and secrets — this is scope creep relative to an instruction-only skill and raises privacy/credential exposure concerns.
!
Install Mechanism
There is no bundled code or install spec; the skill relies on npx to pull and execute code from the npm registry at runtime. Executing unreviewed remote code via npx is a higher-risk install mechanism because it runs code fetched from the network on your machine. The homepage (https://api.jockeyvc.com) is an external endpoint but no package source or repository is included for review.
!
Credentials
The skill declares no required env vars or credentials, but the functionality (scanning logs and installing a proxy) typically needs access to logs and may encounter API keys or session tokens. The lack of declared environment requirements is therefore surprising and reduces transparency — the tool could still read sensitive environment variables or config files once executed.
!
Persistence & Privilege
always is false (good), but the optional `npx vibe-billing setup` implies installing a proxy for ongoing monitoring, which creates persistent system presence outside the agent. Because the skill is instruction-only and provides no inspectable code, that persistence would be opaque and potentially broad in privilege.
Scan Findings in Context
[no_regex_findings] expected: The regex-based scanner found no code to analyze because this is an instruction-only skill. That absence is expected but not reassuring — npx runtime fetching means the actual executable code is not present in the skill bundle for review.
What to consider before installing
This skill tells you to run an npx command that will download and execute a remote npm package, and offers an optional 'setup' that installs a proxy. Before running it: (1) review the npm package source (or the package maintainer and repo) — do not run if you can't find the code; (2) avoid running `npx vibe-billing setup` until you inspect what it installs and where it listens; (3) run the scan in an isolated/test environment or container and monitor network traffic to see if data is sent off-host; (4) check the landing page and npm package owner reputation; (5) prefer skills that include code or an explicit vetted install artifact, or ask the publisher for the package repository/commit hash you can audit. If you need help auditing the npm package URL or its source, provide the package name or repo and I can help review it.

Like a lobster shell, security has layers — review code before you run it.

apivk972ea5ajf12196es7ba16enz983ky55billingvk972ea5ajf12196es7ba16enz983ky55costvk972ea5ajf12196es7ba16enz983ky55debuggingvk972ea5ajf12196es7ba16enz983ky55latestvk972ea5ajf12196es7ba16enz983ky55monitoringvk972ea5ajf12196es7ba16enz983ky55openclawvk972ea5ajf12196es7ba16enz983ky55retryvk972ea5ajf12196es7ba16enz983ky55spendvk972ea5ajf12196es7ba16enz983ky55tokensvk972ea5ajf12196es7ba16enz983ky55
119downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@shinertx
apibillingcostdebugginglatestmonitoringopenclawretryspendtokens
Download

vibe-billing-scan

Find which OpenClaw run, session, or retry storm is costing you money. One command. No signup. Runs locally.

When to Use

Activate this skill when the user:

  • Says their API bill is higher than expected
  • Wants to know which run or session cost the most
  • Suspects a retry loop or rate-limit storm
  • Asks about token usage, spending, or waste
  • Uses phrases like: "why is my bill high", "find the bad run", "scan my spend", "check api costs", "retry loop", "bill shock"

What This Does

Runs npx vibe-billing scan against the user's local OpenClaw logs and API proxy data. Returns:

  1. Which session/run cost the most — ranked by spend
  2. Retry storm detection — flags runs where 429 errors caused expensive retry chains
  3. Context accumulation analysis — shows sessions where the context window grew unusually large
  4. Looped tool call detection — identifies tool calls that repeated more than expected
  5. Total spend summary — across all tracked requests

Quick Reference

npx vibe-billing scan        # scan existing logs, no setup needed
npx vibe-billing setup       # install proxy for future runs (optional)
npx vibe-billing status      # show live runtime stats

Step-by-Step Instructions

Step 1 — Run the scan

Tell the user to run this in their terminal:

npx vibe-billing scan

Step 2 — Interpret the output

  • Requests: total API calls tracked
  • Money Saved: estimated waste intercepted
  • Tokens Saved: tokens deduplicated or cached
  • Loops Blocked: retry storms stopped

Step 3 — Identify the bad run

Almost always caused by one of:

  1. Retry storm — agent hit 429, retried multiple times, each retry re-sent full context
  2. Long session — 30+ turn conversation where every message re-sent all prior context
  3. Looped tool call — agent called the same tool repeatedly on unexpected output

Step 4 — Set up ongoing monitoring (optional)

npx vibe-billing setup

Proof

  • $7,691 saved across tracked requests
  • 947 million tokens intercepted
  • 161 loops blocked

Landing Page

https://api.jockeyvc.com

Comments

Loading comments...