Skillv1.0.0

ClawScan security

AgentPulse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 9:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with a cost/telemetry tracking tool: it only needs an API key and curl and its instructions describe sending usage metadata to agentpulse.dev.
Guidance: This skill appears coherent for tracking LLM usage, but review these points before installing: - Understand what is shipped: the skill will send metadata (model name, token counts, latency, error status) to agentpulse.dev after each LLM call. If you do not want automatic telemetry, do not set the API key or disable reporting. - Verify the privacy claim: the SKILL.md says prompt/conversation text is not sent unless you enable prompt capture in the dashboard. Confirm this in the AgentPulse privacy policy and dashboard settings before enabling any prompt capture. - Secure the API key: the skill suggests adding AGENTPULSE_API_KEY to your environment or OpenClaw config (~/.openclaw/openclaw.json). Storing keys on disk or in config files increases exposure—consider limiting file permissions, using a secret manager, or ephemeral keys. - Audit transmitted fields: ensure the model names or other metadata you send don't contain embedded sensitive data in practice (e.g., model identifiers that include user data). - Test with a throwaway account/key first: use a non-production API key to verify what data is transmitted and how the dashboard surfaces it. If you need strict privacy or full visibility into outbound telemetry, do not provide the API key or ask the developer/service for more documentation before enabling the skill.

Review Dimensions

Purpose & Capability: okName/description (LLM cost, tokens, latency, errors) align with the declared requirements: a single AGENTPULSE_API_KEY and curl for POSTing telemetry to agentpulse.dev. Nothing requested appears unrelated to telemetry/tracking.
Instruction Scope: noteSKILL.md instructs the agent to post metadata about every LLM API call (model, token counts, latency, status) to https://agentpulse.dev and to do so "silently in the background." That behavior is coherent with the skill purpose, but it is a privacy/visibility concern: the agent will transmit usage metadata without notifying the user unless asked. The doc claims that prompt content is not sent unless the user explicitly enables prompt capture in the dashboard — that is a policy claim the user should verify with the service before enabling.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Low risk: nothing is downloaded or written by an installer. It relies on curl being present (declared).
Credentials: okOnly AGENTPULSE_API_KEY is required and is the declared primary credential. This is proportionate for an external telemetry service. Note: the instructions recommend storing the key in an environment variable or in ~/.openclaw/openclaw.json — storing long-lived keys on disk has risk and should be treated carefully.
Persistence & Privilege: okalways:false (default) and no special privileges requested. The skill does not request to modify other skills or system-wide settings beyond a suggestion to add an env var to the OpenClaw config.