Skillv0.2.0

ClawScan security

RedLine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 4:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (live rate-limit checks) matches the actions described, but the runtime instructions assume local scripts and direct access to sensitive credentials (macOS Keychain and OpenClaw auth profile) while the package does not include the referenced scripts or declare the required config paths — proceed only after clarifying those gaps.
Guidance: This skill's goal (live usage/pacing) is reasonable, but the package is incomplete and asks the agent to access sensitive local credentials. Before installing: - Ask the publisher for the missing scripts (scripts/claude-usage and scripts/openai-usage) or for an install spec; do not run undocumented scripts. - Confirm you run this on macOS (it expects the `security` CLI and Keychain) and that OpenClaw is installed if you want OpenAI checks. - Understand that the skill will read OAuth tokens from your Keychain and ~/.openclaw auth-profiles.json; only proceed if you trust the skill owner and have inspected the scripts that will use those tokens. - If you prefer safer testing, request a trimmed-down version that prints API calls without sending tokens, or run the scripts in a sandboxed environment and inspect network traffic. - Because the bundle omits the scripts, treat the current publish as incomplete/untrusted until the missing files and an install mechanism are provided and reviewed.

Review Dimensions

Purpose & Capability: concernThe declared purpose (checking Anthropic/Claude and OpenAI usage and pacing agent behavior) matches the actions described (reading tokens and calling usage APIs). However, the SKILL.md and README repeatedly reference CLI scripts (scripts/claude-usage, scripts/openai-usage) and OpenClaw integration while the skill bundle contains no code files or install spec. The skill metadata only lists python3 as a required binary but the instructions also require the macOS `security` CLI and OpenClaw to be installed. These missing/undeclared dependencies are an incoherence.
Instruction Scope: concernRuntime instructions explicitly tell the agent to read the Claude OAuth token from macOS Keychain (service 'Claude Code-credentials') and to read OpenClaw auth profiles at ~/.openclaw/agents/main/agent/auth-profiles.json. Those are sensitive credentials and filesystem reads outside the skill's declared requirements. The instructions also tell the agent to write heartbeat-state.json and to integrate pacing into HEARTBEAT.md. The scope of file and secret access is broader than what the skill metadata declares.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes package install risk. However, the documentation and SKILL.md assume CLI scripts exist locally under ./scripts — they are not included. That mismatch means the skill as published is incomplete: either it expects external binaries/scripts to already be present (not declared) or the package omits required files.
Credentials: noteThe skill declares no required environment variables or config paths, but the instructions require reading two credential sources (macOS Keychain entry and an OpenClaw auth-profiles JSON). Access to those secrets is proportionate to the stated functionality (you must have tokens to query usage), but because they are not declared in the metadata this is a transparency issue and a potential privacy risk. Users should expect the skill to access OAuth tokens and plan accordingly.
Persistence & Privilege: okThe skill does not request always:true and does not declare elevated persistent privileges. It will store ephemeral usage readings (heartbeat-state.json) per its instructions, which is normal for a pacing helper. Autonomous invocation is allowed by default (normal for skills) but this combined with the secret access noted above increases the blast radius if the skill were malicious.