ClawHub

ANVX - Token Economy Intelligence

v1.2.2

Read-only spending intelligence across your token economy — LLM API costs, crypto portfolio values, and Stripe revenue in one view.

1· 40·0 current·0 all-time
by@tje8x
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactionsRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (read-only spending intelligence) matches the included connectors (billing, cloud costs, exchanges, block explorers, Stripe, etc.). The many optional API keys correspond to the listed providers and are reasonable for the claimed functionality. Note: the SKILL.md lists ANTHROPIC_API_KEY as required while registry metadata earlier showed no required env vars—this mismatch should be reconciled.
Instruction Scope
SKILL.md confines the agent to read-only actions and instructs the user to run a local setup script (uv run python -m engine.setup) or start a local MCP server. The runtime instructions explicitly avoid accepting pasted keys into chat. However, because the skill bundles runnable Python code and asks the user to execute it locally, the agent's instructions can cause arbitrary code in the shipped package to run on the user's machine — review the included scripts (engine.setup, scripts/setup.py, engine/*.py) before running.
Install Mechanism
There is no external install spec (lowest installer risk), but the bundle contains ~60 Python files. The intended install/run path is to execute those local Python modules (uv run python -m engine.setup or mcp-server). That is a normal pattern for local tools but means you must trust the shipped code — nothing is fetched from unknown URLs at install time by default. The SKILL.md does include network_access to raw.githubusercontent.com which implies the code may fetch remote content at runtime (review code paths that call raw.githubusercontent.com).
Credentials
The set of environment variables listed in SKILL.md (Anthropic required; many provider keys optional) map to the connectors present in the codebase. Requesting AWS, Stripe, Coinbase, Binance, etc. credentials is proportional to aggregating billing and holdings. The code states credentials are stored in the system keyring (not plain files). Confirm engine/credentials.py indeed uses the system keyring and not insecure file fallbacks before supplying secrets. Also note analytics env vars (ANALYTICS_ENABLED, ANALYTICS_ENDPOINT) are optional but present and could send structural telemetry if enabled.
Persistence & Privilege
The skill does not request forced persistence (always: false). It writes local cache and logs under ~/.token-economy-intel (model.json, pricing_cache.json, events.jsonl) and advertises credential storage in the system keyring. Those local files are expected for caching and logs; confirm you are comfortable with these paths. Optional telemetry can send anonymised events to ANALYTICS_ENDPOINT if enabled (default disabled).
Assessment
This skill appears coherent for its stated purpose, but you should take a few precautions before installing/running it: - Verify source/trust: The package metadata lists an unknown source/homepage. If possible, obtain the code from a trusted repository or vendor and confirm the author and release integrity. - Review credential handling: Open engine/credentials.py and confirm it uses your system keyring (not a plaintext file or cloud upload). Only provide credentials via the recommended setup script and avoid pasting keys in chat. - Use minimal, read-only credentials: For exchanges, use read-only API keys. For AWS, grant only Cost Explorer (or minimally scoped read-only) permissions. For Stripe and others, use keys that permit only the necessary read operations. - Inspect analytics and network calls: By default telemetry is disabled, but if you enable ANALYTICS_ENDPOINT it will POST events (sanitised) — keep this off unless you trust the endpoint. Search the code for any runtime fetches from raw.githubusercontent.com or other remote hosts and verify their purpose. - Run locally in a controlled environment first: Execute the setup script on an isolated machine or VM, review the behavior and the files created under ~/.token-economy-intel, and check network traffic if you can. - Reconcile metadata mismatch: SKILL.md declares ANTHROPIC_API_KEY required while registry metadata lists none; ask the publisher to clarify required env vars before provisioning keys. If you are not comfortable auditing the code, do not run the packaged scripts or provide production credentials; consider using synthetic/test mode for onboarding instead.

Like a lobster shell, security has layers — review code before you run it.

aivk97cy6cq8p2mcpk7a722j8vev584gy21ai-costsvk97cy6cq8p2mcpk7a722j8vev584gy21apivk97cy6cq8p2mcpk7a722j8vev584gy21api-costsvk97cy6cq8p2mcpk7a722j8vev584gy21awsvk97cy6cq8p2mcpk7a722j8vev584gy21billingvk97cy6cq8p2mcpk7a722j8vev584gy21cloudvk97cy6cq8p2mcpk7a722j8vev584gy21cryptovk97cy6cq8p2mcpk7a722j8vev584gy21devtoolsvk97cy6cq8p2mcpk7a722j8vev584gy21financevk97cy6cq8p2mcpk7a722j8vev584gy21fintechvk97cy6cq8p2mcpk7a722j8vev584gy21latestvk97cy6cq8p2mcpk7a722j8vev584gy21llmvk97cy6cq8p2mcpk7a722j8vev584gy21monitoringvk97cy6cq8p2mcpk7a722j8vev584gy21optimisationvk97cy6cq8p2mcpk7a722j8vev584gy21optimizationvk97cd5pe2n31bpszwcggmhv2w584djh4spendingvk97cy6cq8p2mcpk7a722j8vev584gy21tokensvk97cy6cq8p2mcpk7a722j8vev584gy21

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments