Skylv Api Budget Guardian
AdvisoryAudited by Static analysis on May 1, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to trust and inspect the bundled script directly before running it.
The skill relies on local script execution but provides limited provenance and no install specification, so users have less context for where the code came from or how it should be installed.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the full script from the installed package and run it only from a directory where you are comfortable creating the local cost-tracking file.
Installing or using the skill may cause your agent or you to run the bundled JavaScript locally.
The skill documents running a local Node.js script. This is expected for the CLI-style cost tracker, but it is still local code execution.
node cost_guard.js init 100
Run the commands intentionally, verify Node.js is available, and inspect the script first if you do not trust the package source.
Your model names, token counts, spend totals, and budget settings may remain on disk in the current directory.
The script persists budget and usage history in a local JSON file. This is purpose-aligned, but it creates reusable local state that could reveal usage patterns or be edited by local processes.
const COST_FILE = '.cost-guard.json'; ... costs.tokenLog.push({ timestamp: new Date().toISOString(), tokens: t, model: m, cost: totalCost }); ... fs.writeFileSync(COST_FILE, JSON.stringify(costs, null, 2));Keep the .cost-guard.json file in an appropriate project directory, avoid committing it if the data is sensitive, and back it up before reinitializing.