OpenClaw Cost Guard
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local, read-only cost-audit helper, with minor notes about running Node code, limited provenance, and keeping report output private.
This skill looks safe for its stated purpose as a local OpenClaw cost-governance checker. Before installing, note that it runs Node code and reads an OpenClaw config file, so use the intended path and avoid sharing the JSON report publicly if it contains budget or local path details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may inspect your local OpenClaw configuration when used for a cost review.
The bundled script reads a default or user-selected OpenClaw config file. This is central to the cost-audit purpose and appears read-only, but it is still local code execution with local file access.
const configPath = path.resolve(getArg('--config', path.join(os.homedir(), '.openclaw', 'openclaw.json')));Run it only against the intended config file and review the report before sharing it outside your workspace.
You have less external provenance information about where the skill came from.
The skill has limited provenance and installation metadata. The provided package is small and dependency-free, so this is a transparency note rather than a behavior concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install from a trusted source and verify the included files if provenance matters for your environment.
The output may reveal local path information or budget settings.
The report includes derived evidence such as the config path and detected budget values. This is useful for the audit, but those details may become part of chat or log context if copied elsewhere.
evidence.budgetHints = budgetHints; ... console.log(JSON.stringify({ score, verdict, summary, findings, recommendations, guardrails, evidence }, null, 2));Treat the generated JSON as internal and redact path or budget details before sharing it externally.