Cost Control
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent cost-monitoring utility, but users should intentionally configure it because its optional watchdog can run on a schedule and terminate a local process.
This skill is reasonable if you want local API spend protection. Before installing, verify the pip package or use the reviewed files directly, set conservative thresholds, confirm the PID file points only to the intended application, protect the state directory, and make sure operators know how to clear the emergency and kill-switch files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the watchdog can stop an application process when cost thresholds are exceeded.
The watchdog can terminate the process identified by a local PID file. This is the advertised last-resort cost-control behavior, but misconfigured or stale PID files could stop the wrong local process.
PID_FILE = "state/app.pid" ... os.kill(pid, signal.SIGTERM) ... os.kill(pid, signal.SIGKILL)
Use the watchdog only for applications you intend it to control, verify the PID file path, protect the state directory, and test threshold behavior before production use.
Once added to cron, the watchdog may continue running periodically and can keep an emergency block active until manually cleared.
The documentation recommends an optional cron job that runs the watchdog every two minutes. This creates persistent background enforcement, though it is disclosed and user-installed.
*/2 * * * * cd /your/project && python3 cost_watchdog.py >> logs/watchdog.log 2>&1
Only add the cron job intentionally, document it for operators, and remove or disable it when the protected application no longer needs it.
Installing the wrong or changed package could introduce code that differs from the reviewed artifacts.
The documentation suggests installing an external package without pinning a version or hash. This is a normal setup pattern, but users should verify package provenance.
pip install cost-control-system # OR copy cost_control.py to your project
Prefer reviewed local files when possible, or verify the package source and pin the exact version or hash before installing.