Skillv1.0.2

ClawScan security

Openclaw Cost Optimization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 14, 2026, 9:43 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: Instruction-only cost-optimization guide that generally fits its purpose but makes unexplained assumptions about an external 'openclaw' CLI/config and does not declare those dependencies or any required credentials.
Guidance: This skill is mostly a collection of sensible cost-saving tips, but it assumes you have an 'openclaw' command-line tool and a ~/.openclaw/config.yaml without declaring that dependency or any credentials that tool might need. Before using: (1) verify where the 'openclaw' CLI comes from and that you trust its source; (2) check what credentials/config the CLI will read or modify (e.g., API keys in ~/.openclaw or environment variables) before running its commands; (3) back up any existing ~/.openclaw/config.yaml before applying changes; (4) be cautious about contacting the personal handles listed for paid services — they are external and unrelated to the skill package. If you cannot confirm the origin/trustworthiness of the 'openclaw' binary, avoid running the suggested commands.

Purpose & Capability: noteThe skill's name and content are about cost optimization and the documented tips (model selection, caching, budgeting) align with that purpose. However, the runtime instructions repeatedly call an external 'openclaw' CLI and reference ~/.openclaw/config.yaml while the skill metadata declares no required binaries or installs; that mismatch is unexplained.
Instruction Scope: okThe SKILL.md stays within cost-optimization scope: it recommends model choices, config snippets, budgeting and monitoring commands. It instructs editing a user config (~/.openclaw/config.yaml) and running 'openclaw' commands — actions consistent with the stated goal and confined to the user's agent/tooling.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, which is low-risk. Nothing in the manifest tries to download or write code to disk.
Credentials: noteNo environment variables, credentials, or config paths are declared as required. Yet the instructions expect interaction with a CLI that likely needs service credentials (to report usage, switch models, query costs). The skill does not request or document those credentials, which is an incoherence to be aware of.
Persistence & Privilege: okThe skill is not set to always:true and has no install-time persistence. It does instruct changing a per-user config file (~/.openclaw/config.yaml) which is normal for a tool of this type and not a privilege escalation.