Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
OpenClaw Usage Manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned, but it handles Anthropic account tokens and can automatically rewrite OpenClaw’s default Claude account while making incomplete token-storage claims.
Install only if you are comfortable giving this tool both Claude account tokens and permission to change OpenClaw’s active Anthropic account. Review the code, pin the source, protect or avoid tokens.json, back up auth-profiles.json, run the checker manually first, and enable the 3-hour cron job only after confirming the switching behavior is what you want.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The active Claude account for OpenClaw can be changed automatically, and an unexpected current token could be overwritten because the code treats any non-C1 token as C2.
Why it was flagged
The checker reads OpenClaw's local auth profile and rewrites the default Anthropic token, so it is not just displaying usage; it changes the identity future OpenClaw sessions use.
Skill content
const AUTH_FILE = `${process.env.HOME}/.openclaw/agents/main/agent/auth-profiles.json`; ... const current = auth.profiles['anthropic:default'].token; ... auth.profiles['anthropic:default'].token = altToken; ... renameSync(tmpFile, AUTH_FILE);Recommendation
Only enable this if you intend automatic account switching. Back up auth-profiles.json, validate that the current token is one of the configured C1/C2 tokens before writing, and require explicit confirmation or logging for switches.
What this means
A user may believe the 1Password setup never places API tokens on disk, when the auto-switcher path does store tokens locally.
Why it was flagged
This blanket safety claim is incomplete: the included setup flow writes C1/C2 token values into tokens.json for the auto-switcher, protected only by chmod 600.
Skill content
Tokens are never stored in plaintext on disk. 1Password handles encryption and access control.
Recommendation
Clarify documentation to say exactly when tokens are stored in tokens.json, where the file lives, how it is protected, and how to delete or rotate those tokens.
What this means
Once cron is enabled, the tool can keep checking usage and changing accounts in the background.
Why it was flagged
The skill is explicitly designed to keep running on a schedule and take account-switching action without a user present.
Skill content
Auto-Switcher: Checks rates every 3h (via cron), switches when either 5h OR 7d hits 80%
Recommendation
Run it manually first, review logs, and enable the cron job only if unattended switching is desired.
What this means
A malformed configured item ID or an unrelated process using port 18800 could cause unintended local command behavior or process termination.
Why it was flagged
The dashboard runs local shell commands for 1Password token retrieval and port cleanup. This is related to its purpose, but shell interpolation and automatic process termination have side effects.
Skill content
execSync(`op item get ${itemId} --reveal --format=json 2>/dev/null`); ... execSync(`lsof -ti:${PORT} | xargs kill 2>/dev/null`);Recommendation
Use spawn/execFile with argument arrays, validate item IDs, and avoid killing arbitrary processes unless the user confirms.
What this means
If the remote repository changes, a user following the instructions later may install code different from the reviewed artifacts.
Why it was flagged
The installation instructions fetch a mutable remote repository rather than a pinned release or commit, and the registry source is not declared.
Skill content
git clone https://github.com/Takao-Mochizuki/openclaw-usage-manager.git
Recommendation
Install from a reviewed commit or release tag and compare the downloaded files with the expected contents before enabling cron.