Back to skill

Security audit

Cost Tracking for Models

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does local OpenClaw cost reporting, but it has unsafe command execution and can expose session-log error details in Discord-oriented reports.

Review before installing. Use the shell script directly with simple documented flags if needed, avoid report_discord.sh and --show-errors when session errors may contain sensitive content, and do not pass untrusted CLI arguments until the wrapper is changed to use a safe argument-array API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The documented behavior does not match the reported implemented behavior: the skill allegedly extracts model error messages, includes a Discord helper for Kimi-specific session data, and overstates support for weekly/monthly reporting. This mismatch is security-relevant because undeclared data extraction from session logs can expose sensitive operational details or user content, and hidden functionality reduces a user's ability to give informed consent before running the skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script does more than generate a cost report: it traverses local OpenClaw session logs and prints Kimi model error details from raw JSONL history. Error messages often contain request fragments, prompts, identifiers, or other sensitive operational data, so exposing them in a Discord-oriented reporting path creates an unnecessary data-disclosure channel beyond the stated cost-tracking purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading raw session history from ~/.openclaw/agents/main/sessions is broader access than a cost-tracking skill should require, and it bypasses data minimization. Because the script extracts and emits errorMessage fields directly, it can leak sensitive content from model interactions or backend failures to whoever receives the report.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accesses user session data and outputs extracted error details without warning, consent, or indication that private local history will be inspected. In a messaging/reporting workflow, this lack of transparency increases the chance of unintentional disclosure of sensitive information to chat recipients or logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli.js:25