Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Cost Tracking for Models
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with cost reporting, but its CLI wrapper builds shell commands from unescaped arguments, which could let a crafted invocation run unintended local commands.
Install only if you trust the local script and need cross-agent OpenClaw cost reporting. Be careful with automated Discord reports and avoid passing untrusted or unusual CLI arguments until the shell invocation is fixed.
Static analysis
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
High
What this means
If an agent or user invokes the CLI with a maliciously crafted argument, it could run arbitrary shell commands as the local OpenClaw user.
Why it was flagged
The wrapper constructs a shell command string from raw CLI arguments. Double quotes do not safely prevent shell command substitution or embedded quote escapes, so a crafted argument could execute commands unrelated to cost reporting.
Skill content
const args = process.argv.slice(2); ... execSync(`"${scriptPath}" ${args.map(arg => `"${arg}"`).join(' ')}`, {Recommendation
Use execFileSync/spawn with an argument array instead of shell string interpolation, validate allowed options, and use fs.chmodSync rather than shelling out to chmod.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Reports may reveal model usage, costs, token counts, and error details from prior OpenClaw sessions.
Why it was flagged
The script reads persistent OpenClaw session logs across agents and can extract error messages as well as model, token, and cost metadata.
Skill content
OPENCLAW_SESSIONS_DIR=~/.openclaw/agents ... for agent_dir in "$SESSIONS_DIR"/* ... errorMessage: .message.errorMessage
Recommendation
Use the skill only if you are comfortable letting it read OpenClaw session logs; avoid --show-errors or Discord sharing when error messages may contain sensitive information.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
If the example is enabled, cost and usage summaries may be posted automatically to the configured Discord channel.
Why it was flagged
The provided cron examples show scheduled delivery of cost reports to a Discord channel. This is purpose-aligned, but it moves report contents outside the local environment.
Skill content
"deliver": true, "channel": "discord", "to": "dailyreport"
Recommendation
Review the target channel, schedule, and included report fields before enabling automated Discord delivery.