Token Monitor

Type: OpenClaw Skill Name: token-monitor Version: 1.0.3 The `scripts/check-quota.sh` file contains a shell injection vulnerability. The `mkdir -p "$(dirname "$STATE_FILE")"` command uses the `$STATE_FILE` variable, which can be controlled by user input via the `--state-file` argument or `QUOTA_STATE_FILE` environment variable. If an attacker provides a crafted path like `$(evil_command)/file`, the `evil_command` would be executed. While the skill's stated purpose is benign and the `SKILL.md` does not demonstrate exploiting this, the vulnerability itself allows for arbitrary command execution, classifying it as suspicious rather than malicious due to the lack of clear evidence of intentional self-exploitation.