ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Cost Calculator

v1.2.4

AI 成本计算器 - 对比各大模型成本,优化 API 支出。适合:AI 应用开发者、成本敏感用户。

0· 570·5 current·5 all-time
by@yang1002378395-cmyk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI cost comparison) align with the SKILL.md: it compares model prices and gives formulas/scripts. However, the declared requirements list only 'curl' while the provided example scripts also use bc and grep (with -P), which are not declared; this is a mismatch between claimed requirements and actual instructions.
Instruction Scope
Runtime instructions are instruction-only and limited to local arithmetic and curling vendor endpoints to scrape pricing. They do not request credentials or read local sensitive files. Some instructions are vague (e.g., '设置价格预警' has no concrete notification mechanism). The scripts assume GNU grep with -P and availability of bc; those environment assumptions are not declared.
Install Mechanism
There is no install spec and no code files; nothing is written to disk or downloaded. Instruction-only skills have a smaller attack surface than ones that fetch/execute code.
Credentials
The skill requests no environment variables, no credentials, and no config paths — proportional for a cost-calculator that only fetches public pricing pages.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/privileged presence or modification of other skills/settings.
What to consider before installing
This skill appears to do what it says (compare model costs) and requests no secrets, but review a few points before enabling it: (1) The examples/scripts call bc and grep -P but the skill only declares curl — ensure your agent environment has bc and a grep that supports -P, or the scripts will fail. (2) The SKILL.md uses curl to fetch pricing from third-party endpoints (openai.com, api.deepseek.com); verify those endpoints are trustworthy and that you are comfortable allowing the agent network access. (3) The price-alerting feature is described but not implemented — clarify how alerts would be delivered before relying on it. (4) Some numeric formulas/units in the examples look inconsistent (units and scaling by 100/1M); test the calculations with known values before using them for billing decisions. If you need stronger assurance, request the author to declare all required binaries (bc, grep) and to provide a concrete, auditable mechanism for price alerts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979djadzc6z29aevhahpcaggn833mxf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧮 Clawdis
Binscurl

Comments