ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The AI Agent FinOps Playbook: Budget Enforcement, Cost Allocation & Spend Analytics for Multi-Agent Systems

v1.0.0

The AI Agent FinOps Playbook: Budget Enforcement, Cost Allocation & Spend Analytics for Multi-Agent Systems. Complete guide to cost governance for multi-agen...

0· 38·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md is explicitly written to drive a billing/control-plane (GreenHelix A2A Commerce Gateway) and includes Python examples that require an API key (GREENHELIX_API_KEY). However, the skill metadata declares no required environment variables or primary credential. That mismatch (a billing API being referenced but not declared) is disproportionate and incoherent with the registry metadata.
!
Instruction Scope
The runtime instructions include actionable API calls (create_wallet, deposit, set_budget_cap, register_webhook) and example code that reads os.environ["GREENHELIX_API_KEY"]. They also show registering arbitrary webhook URLs (external endpoints). These are expected for a FinOps guide, but the SKILL.md gives the agent explicit instructions to access an environment-stored API key and to send real-time alerts to external endpoints — behaviors that require explicit permission and clear credential declarations, which are missing.
Install Mechanism
This is instruction-only with no install spec and no code files to be written to disk. That lowers install-time risk because nothing is downloaded or executed by an installer.
!
Credentials
The content expects a GREENHELIX_API_KEY environment variable (and likely other billing credentials) but the skill metadata lists no required env vars or primary credential. Requesting billing/API secrets would be proportionate for this guide — but the omission in metadata is an inconsistency that makes it unclear what secrets the agent will attempt to read or need.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills' configuration. Autonomous invocation is allowed (platform default), which is expected for user-invocable skills; this by itself is not flagged.
What to consider before installing
Before installing, confirm these items with the publisher: 1) an explicit list of required environment variables (e.g., GREENHELIX_API_KEY) and why each is needed — the SKILL.md references an API key but the registry metadata does not declare it; 2) the official GreenHelix service domain, docs, and a homepage or repository so you can validate the third-party provider; 3) what data will be sent to webhook endpoints and whether those webhooks could receive sensitive billing/account info. If you proceed, test in a sandbox account with limited funds/permissions and use short-lived credentials or scoped API keys. If the publisher cannot provide clear declarations or an official homepage/repo, treat the skill as higher risk and avoid providing real billing credentials.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk974tw2b6any9zqs59180jb8k184ex2xbillingvk974tw2b6any9zqs59180jb8k184ex2xbudgetsvk974tw2b6any9zqs59180jb8k184ex2xcost-managementvk974tw2b6any9zqs59180jb8k184ex2xfinopsvk974tw2b6any9zqs59180jb8k184ex2xgreenhelixvk974tw2b6any9zqs59180jb8k184ex2xguidevk974tw2b6any9zqs59180jb8k184ex2xlatestvk974tw2b6any9zqs59180jb8k184ex2xopenclawvk974tw2b6any9zqs59180jb8k184ex2xwebhooksvk974tw2b6any9zqs59180jb8k184ex2x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments