ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Cost Guard

v0.1.0

This skill should be used when the user asks to reduce OpenClaw token spend, audit model and cron cost risk, prevent denial-of-wallet incidents, add budget g...

0· 219·0 current·0 all-time
by@x-rayluan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts are aligned: the script performs a static review of an OpenClaw config for cost/budget signals. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
The runtime instructions explicitly tell the agent to run node scripts/cost-guard.mjs against an OpenClaw config (default ~/.openclaw/openclaw.json). The script only reads that config file, performs regex/static checks, and prints JSON results. Note: because it reads the user's config file, any secrets present in that file (API keys, provider tokens) could be exposed in stdout or logs when the script is run—there is no network exfiltration or external endpoints in the script itself.
Install Mechanism
No install spec, no downloads, and package files are included in the repository. It's instruction-only with embedded scripts (no installers or external package pulls).
Credentials
The skill requires no environment variables, no credentials, and no special config paths beyond the OpenClaw config it is meant to inspect. The requested access (reading the OpenClaw config) is proportionate to the stated purpose.
Persistence & Privilege
Skill is not always-on and does not modify other skills or system-wide settings. It runs locally and exits; it does not persist tokens or change agent configuration.
Assessment
This package is internally coherent and appears safe to inspect and run locally. Before running it: (1) review the included scripts (they are small and readable) — there are no network calls or external installs; (2) be aware the script will read your OpenClaw config (default ~/.openclaw/openclaw.json). If that config contains provider API keys or secrets, consider running the script against a sanitized copy or verifying that stdout/log capture is private; (3) the test harness runs the script via node locally (child_process usage is only in tests) — run tests in a safe temp directory. If you need stronger guarantees, run the script on a copy of your config stripped of secrets.
tests/test.mjs:22
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743p14t15305mw1maafp9rs182yga4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments