Ag Model Usage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill needs review because it is presented as local CodexBar usage reporting but actually reads a stored Google Antigravity OAuth token and calls Google internal quota APIs.
Treat this as a Review item, not proven malware. Install it only if you intentionally want it to use your Google Antigravity OAuth profile at ~/.openclaw/agents/main/agent/auth-profiles.json to query quota data, and verify the publisher/metadata mismatch first.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting a local usage summary, while it actually uses a stored Google Antigravity account token.
The headline description says local CodexBar cost usage, but the same artifact later says it reads OAuth tokens and calls Google. This mismatch can cause users to underestimate credential and external account access.
description: Use CodexBar CLI local cost usage... / 该技能通过读取 `auth-profiles.json` 中的 OAuth 令牌...向 Google 发起配额查询请求。
Align the public description with the real behavior, clearly declare the credential/config path, and require explicit user consent before using stored account tokens.
The skill can act with the user's stored Google Antigravity OAuth credential to query account/project quota data.
The script reads a local OpenClaw auth profile and uses the OAuth access token as a Bearer credential. The submitted requirements declare no primary credential or required config path, so this account access is under-declared.
auth_path = os.path.expanduser("~/.openclaw/agents/main/agent/auth-profiles.json") ... access_token = profile['access'] ... "Authorization": f"Bearer {access_token}"Only install if you intend to let the skill use that Google Antigravity auth profile; the publisher should declare the credential path, token scope, destination API, and remove or justify any hard-coded project fallback.
It is harder to confirm that the packaged artifact and registry listing come from the same publisher identity.
This packaged owner ID differs from the registry metadata owner ID supplied for the skill. That provenance inconsistency is not malicious by itself, but it should be resolved for a skill that reads credentials.
"ownerId": "kn7ffybxre15amw93mrgh8wksd80jzny"
Verify the publisher and request corrected metadata before trusting the skill with stored OAuth credentials.