Security audit
Openclaw Guard
Security checks across malware telemetry and agentic risk
Overview
The skill's code, instructions, and requirements are coherent with its stated purpose (a local pre-call guard) and there are no requests for unrelated credentials, remote downloads, or unexpected system access.
This plugin appears to do exactly what it claims: locally estimate tokens/costs and block or suggest a cheaper model. Before installing, confirm you trust the publisher (the plugin will run code inside your agent), keep debug off in production (debug logs redact common secret key names but might not catch non-standard names), and set conservative maxBudgetUsd/maxTokensPerRequest values appropriate for your environment. If you need extra assurance, review the small codebase (it has a single npm dependency, zod) or run tests in an isolated environment prior to deployment.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
