ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentPulse

v1.0.0

Track LLM API costs, tokens, latency, and errors for your AI agent. Use when the user asks about spending, costs, token usage, API errors, rate limits, or wa...

0· 705·1 current·1 all-time
by@sru4ka
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LLM cost, tokens, latency, errors) align with the declared requirements: a single AGENTPULSE_API_KEY and curl for POSTing telemetry to agentpulse.dev. Nothing requested appears unrelated to telemetry/tracking.
Instruction Scope
SKILL.md instructs the agent to post metadata about every LLM API call (model, token counts, latency, status) to https://agentpulse.dev and to do so "silently in the background." That behavior is coherent with the skill purpose, but it is a privacy/visibility concern: the agent will transmit usage metadata without notifying the user unless asked. The doc claims that prompt content is not sent unless the user explicitly enables prompt capture in the dashboard — that is a policy claim the user should verify with the service before enabling.
Install Mechanism
Instruction-only skill with no install spec and no code files. Low risk: nothing is downloaded or written by an installer. It relies on curl being present (declared).
Credentials
Only AGENTPULSE_API_KEY is required and is the declared primary credential. This is proportionate for an external telemetry service. Note: the instructions recommend storing the key in an environment variable or in ~/.openclaw/openclaw.json — storing long-lived keys on disk has risk and should be treated carefully.
Persistence & Privilege
always:false (default) and no special privileges requested. The skill does not request to modify other skills or system-wide settings beyond a suggestion to add an env var to the OpenClaw config.
Assessment
This skill appears coherent for tracking LLM usage, but review these points before installing: - Understand what is shipped: the skill will send metadata (model name, token counts, latency, error status) to agentpulse.dev after each LLM call. If you do not want automatic telemetry, do not set the API key or disable reporting. - Verify the privacy claim: the SKILL.md says prompt/conversation text is not sent unless you enable prompt capture in the dashboard. Confirm this in the AgentPulse privacy policy and dashboard settings before enabling any prompt capture. - Secure the API key: the skill suggests adding AGENTPULSE_API_KEY to your environment or OpenClaw config (~/.openclaw/openclaw.json). Storing keys on disk or in config files increases exposure—consider limiting file permissions, using a secret manager, or ephemeral keys. - Audit transmitted fields: ensure the model names or other metadata you send don't contain embedded sensitive data in practice (e.g., model identifiers that include user data). - Test with a throwaway account/key first: use a non-production API key to verify what data is transmitted and how the dashboard surfaces it. If you need strict privacy or full visibility into outbound telemetry, do not provide the API key or ask the developer/service for more documentation before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97837fvnq6nkqzxdj7tw3ywk981pjbk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binscurl
EnvAGENTPULSE_API_KEY
Primary envAGENTPULSE_API_KEY

Comments