Cost Tracking for Models

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill mostly fits cost reporting, but it has an unsafe shell wrapper and can expose session-log error details in Discord-style reports.

Install only if you are comfortable with the skill reading local OpenClaw session logs. Avoid using the Node CLI with untrusted or free-form arguments until the shell invocation is hardened, and review any Discord or cron setup to ensure it does not share sensitive error details.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI05: Unexpected Code Execution

What this means

A crafted invocation could run unintended commands on the user’s machine.

Why it was flagged

The wrapper passes raw command-line arguments into a shell command string with only double-quote wrapping. Arguments containing quotes or shell metacharacters could break out before the shell script validates options.

Skill content

const args = process.argv.slice(2); ... execSync(`"${scriptPath}" ${args.map(arg => `"${arg}"`).join(' ')}`, {

Recommendation

Use execFileSync or spawnFileSync with an argument array and shell:false, validate allowed options, and replace shell chmod with fs.chmodSync.

Medium

#ASI06: Memory and Context Poisoning

What this means

Private session or provider error details could be posted to a Discord channel when using the Discord report workflow.

Why it was flagged

The Discord report helper intentionally extracts errorMessage values from persistent OpenClaw session logs and formats them for output, which may include more than cost/model totals.

Skill content

./cost_report.sh --today --format discord --show-errors ... cd ~/.openclaw/agents/main/sessions ... grep -a "errorMessage" ... jq -c '.message.model + ": " + .message.errorMessage'

Recommendation

Make error details opt-in, redact or truncate error messages by default, document exactly what log fields are shared, and limit reporting to user-approved channels.

Low

#ASI10: Rogue Agents

What this means

If used as-is, reports may be posted automatically on a schedule.

Why it was flagged

The artifact provides enabled recurring job examples that would run agent turns and deliver reports to Discord if a user imports or enables them.

Skill content

"schedule": { "kind": "cron", "expr": "20 8 * * *" ... }, "payload": { "kind": "agentTurn", ... "deliver": true, "channel": "discord", "to": "dailyreport" }, "enabled": true

Recommendation

Review cron examples before enabling them, set the intended destination explicitly, and disable or remove jobs that should not run automatically.