Skillv0.1.0

ClawScan security

Discord Output Metrics Footer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 5:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin mostly does what it says (append token/context/quota footers), but it reads a local OpenClaw auth store and sends an OAuth token to an unexpected external endpoint (chatgpt.com), which is disproportionate and could expose credentials.
Guidance: This extension generally does what it says (appends compact usage footers), but it reads your OpenClaw auth profile store and sends an OAuth token to https://chatgpt.com/backend-api/wham/usage to fetch quota. Before installing: 1) Decide whether you trust that external endpoint—if not, disable the quota-fetch feature (set quotaCacheMs to 0 or remove the quota call) or do not install. 2) Inspect ~/.openclaw/agents/main/agent/auth-profiles.json to confirm what credentials are stored and whether 'openai-codex' profiles exist. 3) If you want the footer but not remote token use, modify the plugin to omit the fetchCodexQuota call or point it to an official provider usage API (and document that change). 4) Consider running the plugin in a sandboxed environment first and monitor outgoing requests. 5) If you need help auditing the endpoint or rewriting the quota logic to avoid sending tokens externally, get a developer review. The key risk is credential exposure — the plugin will read and use an OAuth token unless you remove/disable that behavior.
Findings: [reads-openclaw-auth-profiles] expected: The code reads ~/.openclaw/agents/main/agent/auth-profiles.json to locate an openai-codex oauth token. Reading local auth profiles is required to obtain a token for querying quota, so this behavior is explainable by the quota feature, but it is a sensitive action and should be disclosed clearly in metadata/instructions. [outbound-auth-bearer-to-3rd-party] unexpected: The code sends the extracted token in an Authorization header to https://chatgpt.com/backend-api/wham/usage. Sending a local OAuth token to chatgpt.com is unexpected: the endpoint is not the official OpenAI API domain. This looks like credential transmission to a third-party service and is a material security concern.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (append context/token/quota metrics to Discord messages) aligns with the bundled code: it listens to llm_output and message_sending and computes context/usage and optional subagent aggregates. However, the quota feature requires reading local auth profiles (not declared as required in metadata) — this is explainable by the quota requirement but should have been called out explicitly.
Instruction Scope: concernThe implementation reads a local file (~/.openclaw/agents/main/agent/auth-profiles.json) to extract an OpenAI Codex OAuth access token and then performs an outbound fetch to https://chatgpt.com/backend-api/wham/usage with that token as Authorization. Even though SKILL.md and references mention fetching Codex quota, the code transmits a credential to a third-party endpoint (chatgpt.com), which is a broader scope than simply reading local metrics and may be unexpected to users.
Install Mechanism: okNo remote installer or archives are used; the skill is an extension template the user copies into ~/.openclaw/extensions. No download-from-URL or package installs are present in the bundle.
Credentials: concernThe skill declares no required env vars or credentials, yet the code reads the user's centralized OpenClaw auth profile file and extracts OAuth tokens. Accessing that file gives it access to credentials managed by OpenClaw; while the code filters for provider==='openai-codex', reading and using a bearer token (and sending it externally) is a high-privilege action that is not proportional to a benign UI-only metric display unless the user explicitly expects the plugin to contact the appropriate provider's usage endpoint.
Persistence & Privilege: noteThe plugin is not always-enabled and does not request elevated platform privileges. It will run as an installed OpenClaw plugin and registers standard hooks. The main privilege concern is its access to the central auth store (a legitimate location for provider tokens) combined with outbound network access; that combination increases the blast radius if the plugin is malicious or misconfigured.