Skillv0.2.1

ClawScan security

OpenClaw Output Metrics Footer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 7:40 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin mostly does what it says (append a metrics footer), but it reads the agent's local auth store and uses an unexpected external endpoint to fetch quota, which is a disproportionate and under-documented use of sensitive credentials.
Guidance: This extension does what it advertises (adds a metrics footer) but it also reads your OpenClaw auth profile file to extract an OAuth token and sends that token to an external endpoint (chatgpt.com/backend-api/wham/usage) to obtain quota info. Before installing: 1) Inspect the auth-profiles.json contents on your system to confirm what secrets are stored there and whether you are comfortable allowing a plugin to read them. 2) Verify the external endpoint is trustworthy — consider replacing or redirecting the quota call to a provider you control or to an official API (openai.com) if possible. 3) If you want to reduce risk, edit index.ts to (a) remove automatic auth-file reads and require an explicit, limited read-only quota token in the plugin config, or (b) omit quota fetching entirely so tokens never leave the host. 4) Restrict enabledChannels/disabledConversations to non-sensitive channels and test in an isolated environment before deploying to production. 5) Note the metadata omission: the skill does not declare it needs access to auth files/credentials; treat that as a red flag and prefer explicit consent or code changes that make credential usage transparent.
Findings: [read-auth-profiles] expected: The code explicitly reads ~/.openclaw/agents/main/agent/auth-profiles.json to find an openai-codex OAuth access token. Reading a local auth profile is logically required to obtain a token for fetching quota, but the skill metadata does not declare any required config paths or credential access, so the action is under-disclosed. [external-quota-fetch-chatgpt.com] unexpected: The plugin uses the extracted token as Authorization: Bearer <token> against https://chatgpt.com/backend-api/wham/usage. Using a third-party/non-openai.com domain for quota queries is unexpected and increases the risk of token exfiltration; the SKILL.md and README do not name this endpoint (only references/implementation.md does).

Review Dimensions

Purpose & Capability: concernThe skill's name/description (append an output footer with token/context/quota metrics) matches the code: it listens to llm_output and message_sending and composes a footer. However the code reads the local OpenClaw auth profile file (~/.openclaw/agents/main/agent/auth-profiles.json) to extract an openai-codex OAuth token and uses that token to call https://chatgpt.com/backend-api/wham/usage. Reading the agent auth store and doing an external fetch with a bearer token is not reflected in the skill metadata (no required config paths or credentials), so this access is disproportionate or at least insufficiently disclosed.
Instruction Scope: concernThe SKILL.md/README instructs copying the extension and updating openclaw.json but does not declare that the extension will read the agent auth-profiles.json file or that it will make outbound network calls carrying an OAuth bearer token. The code's behavior (reading local auth store and making quota requests) is outside what the prose explicitly lists as required resources, creating an information gap that could hide sensitive access.
Install Mechanism: okNo automated install script or remote downloads are used: the extension template is copied locally. This is low-risk from an install-download perspective (no remote arbitrary code fetch).
Credentials: concernThe package declares no required env vars or config paths, yet the code reads the agent auth profile file to extract an access token. Using a bearer token to call an external service (chatgpt.com) is sensitive: while a token is logically needed to fetch quota, the code does not ask the user to opt in or document the specific endpoint in the SKILL.md, and the chosen domain is atypical (not an official openai.com admin endpoint), increasing the risk that a token could be sent to an unexpected service.
Persistence & Privilege: concernThe plugin registers long-lived hooks (llm_output and message_sending) — which is normal — but it also reads other agent configuration (auth-profiles.json). Accessing the agent's credential store means the plugin can observe tokens belonging to the agent; this is a higher privilege than the README/metadata claims and should be treated carefully. The plugin is not 'always:true' and does not modify other skills, but the credential access is notable.