Skillv1.2.4

ClawScan security

Ai Cost Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 17, 2026, 5:58 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: Skill mostly matches its stated purpose (price comparison) but has small inconsistencies (missing declared binaries, assumptions about environment/tools, vague monitoring steps) that warrant caution before installing.
Guidance: This skill appears to do what it says (compare model costs) and requests no secrets, but review a few points before enabling it: (1) The examples/scripts call bc and grep -P but the skill only declares curl — ensure your agent environment has bc and a grep that supports -P, or the scripts will fail. (2) The SKILL.md uses curl to fetch pricing from third-party endpoints (openai.com, api.deepseek.com); verify those endpoints are trustworthy and that you are comfortable allowing the agent network access. (3) The price-alerting feature is described but not implemented — clarify how alerts would be delivered before relying on it. (4) Some numeric formulas/units in the examples look inconsistent (units and scaling by 100/1M); test the calculations with known values before using them for billing decisions. If you need stronger assurance, request the author to declare all required binaries (bc, grep) and to provide a concrete, auditable mechanism for price alerts.

Purpose & Capability: noteThe name/description (AI cost comparison) align with the SKILL.md: it compares model prices and gives formulas/scripts. However, the declared requirements list only 'curl' while the provided example scripts also use bc and grep (with -P), which are not declared; this is a mismatch between claimed requirements and actual instructions.
Instruction Scope: noteRuntime instructions are instruction-only and limited to local arithmetic and curling vendor endpoints to scrape pricing. They do not request credentials or read local sensitive files. Some instructions are vague (e.g., '设置价格预警' has no concrete notification mechanism). The scripts assume GNU grep with -P and availability of bc; those environment assumptions are not declared.
Install Mechanism: okThere is no install spec and no code files; nothing is written to disk or downloaded. Instruction-only skills have a smaller attack surface than ones that fetch/execute code.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths — proportional for a cost-calculator that only fetches public pricing pages.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent/privileged presence or modification of other skills/settings.