Skillv1.0.1

ClawScan security

Skylv Cost Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 4:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its stated purpose: a local CLI-style cost tracker and suggester that computes estimated spend from token counts, requires no external credentials, and stores its state in a local file.
Guidance: This skill operates as a local CLI calculator and tracker: it does not connect to provider APIs or require API keys, and it stores budget and token logs in a .cost-guard.json file in the current directory. Before installing or running: (1) review the JS file to confirm you are comfortable running an untrusted Node script; (2) run it in an isolated directory if you want to keep .cost-guard.json separate from other files; (3) note that cost estimates are derived from static pricing tables and manual token counts (the skill does not automatically pull provider billing data), so if you expected automatic integration with OpenAI/Anthropic/Google billing you will need additional tooling or credentials. If you plan to share logs, be aware the .cost-guard.json file contains your spend traces and should be treated as potentially sensitive.

Purpose & Capability: okName and description (monitoring and optimizing AI API costs) match the provided assets: a CLI-style SKILL.md and a JavaScript implementation that calculates costs from token counts and a pricing table covering multiple providers. Nothing in the files requests unrelated services or privileged access.
Instruction Scope: okSKILL.md instructs running node cost_guard.js with explicit commands (init, track, status, compare, suggest, alert, report). The runtime instructions are limited to local operations and user-provided token counts; they do not instruct reading system-wide config, cloud credentials, or transmitting data externally.
Install Mechanism: okThere is no install spec and no external downloads. The skill is instruction-only plus a single JS file; runtime uses only Node built-in fs/path. This is low-risk from an installation perspective.
Credentials: okNo environment variables, credentials, or config paths are required. The code reads/writes a single local file (.cost-guard.json) to store budget and logs, which is proportional to the stated functionality.
Persistence & Privilege: okalways is false and the skill does not request any elevated or persistent platform-level privileges. It stores state only in a local dot-file and does not modify other skills or global agent configuration.