Smart Cost Tracker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent local cost-tracking skill, with the main caveat that broad triggers could activate it when the user only meant to discuss spending generally.

Install if you want local API cost and budget tracking. Be aware that general questions about budgets or spending may invoke it, and that it may store or update spending records under ~/.openclaw/cost-log.json.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad enough that ordinary user messages about budgets or daily spending could invoke this skill unexpectedly. In this skill, unintended invocation can lead to local persistence in ~/.openclaw/cost-log.json and disclosure or mutation of spending data when the user did not explicitly mean to use the cost tracker.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal