ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Billing

v1.0.0

API账户余额与历史账单查询工具。支持火山引擎、阿里云、DeepSeek、MiniMax、OpenRouter等平台的余额查询和历史账单功能。用于查询各平台账户余额、订阅用量、历史消费记录。

0· 43·1 current·1 all-time
by@yifeiwang1981

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yifeiwang1981/api-billing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Api Billing" (yifeiwang1981/api-billing) from ClawHub.
Skill page: https://clawhub.ai/yifeiwang1981/api-billing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install api-billing

ClawHub CLI

Package manager switcher

npx clawhub@latest install api-billing
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The included Python scripts (volc/aliyun/deepseek/minimax/openrouter) implement balance and billing queries described in the README. The code-level capabilities match the stated purpose.
!
Instruction Scope
SKILL.md tells users to keep credential files in ~/.openclaw/workspace/, but the scripts look for credentials at a relative path (../../../.<name>.env) under the repo root. The reminder script references non-existent filenames (query_volc_balance.py) and paths. Scripts read local credential files and perform network calls to platform APIs (expected) but the mismatch in where credentials are read is a scope/instructioning inconsistency that could lead to accidental credential exposure if users follow the docs.
Install Mechanism
There is no install spec and no code is downloaded at install time (instruction-only plus bundled scripts), so nothing is pulled from external arbitrary URLs during install.
!
Credentials
Registry metadata declares no required env vars or credentials, but the skill expects multiple sensitive credential files (.volc_ak_sk.env, .aliyun_ak_sk.env, .minimax_cp_key.env, .deepseek_key.env, .openrouter_key.env). Encoding expectations are inconsistent across files (some scripts expect Base64, volc expects plain SecretKey). The skill requests access to many unrelated provider credentials (multiple clouds/APIs) which is reasonable for a multi-provider billing tool, but the lack of explicit declared requirements and inconsistent formats is a red flag.
Persistence & Privilege
always:false and no install-time persistent agent modifications. The skill does not request elevated agent privileges or modify other skills/configs.
What to consider before installing
Do not install or run this skill without manual review and fixes. Specific things to check before use: - Verify and correct credential locations: decide whether credentials live under ~/.openclaw/workspace/ (as SKILL.md says) or next to the repo root (as scripts currently expect), and update scripts or docs accordingly. - Do not place secrets inside the repository tree. Store them in a secure, outside location (OS keyring, encrypted file outside repo, or platform secret store) and modify scripts to read from that location. - Fix typos/inconsistencies: key_rotation_reminder.sh references a missing query_volc_balance.py (file is query_volc_billing.py). Ensure filenames referenced by scripts and docs match. - Standardize credential encoding: some scripts expect Base64-encoded env files while volc expects plain-secret; harmonize and document exact formats. - Inspect network endpoints in each script (they appear legitimate) and run scripts in a sandboxed environment first. Limit the credentials you provide to only the accounts you want the skill to access. - Prefer using environment variables or a secrets manager rather than plaintext files; ensure any credential files are .gitignored and permissions set to 600. If you cannot or will not audit and fix the mismatches, treat this skill as untrusted and avoid supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97etwyn0r0z5vkvjhz3y0pesh85m5p0
43downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@yifeiwang1981
latest
Download

API 账户账单查询工具

概述

此技能提供多个平台的余额查询和历史账单功能,帮助追踪API使用费用。

功能

  • 火山引擎: 余额查询 + 历史账单(近6个月)
  • 阿里云: 余额查询 + 历史账单
  • DeepSeek: 余额查询
  • MiniMax: Coding Plan 用量查询
  • OpenRouter: 余额查询

凭证配置

所有凭证文件存放在 ~/.openclaw/workspace/ 目录:

文件用途
.volc_ak_sk.env火山引擎 AccessKey/SecretKey
.aliyun_ak_sk.env阿里云 AccessKey/SecretKey
.minimax_cp_key.envMiniMax Coding Plan API Key
.deepseek_key.envDeepSeek API Key
.openrouter_key.envOpenRouter API Key

使用方法

# 火山引擎(余额 + 历史账单)
python3 skills/api-billing/scripts/query_volc_billing.py
python3 skills/api-billing/scripts/query_volc_billing.py --history

# 阿里云
python3 skills/api-billing/scripts/query_aliyun_balance.py

# DeepSeek
python3 skills/api-billing/scripts/query_deepseek_balance.py

# MiniMax
python3 skills/api-billing/scripts/query_minimax_plan.py

# OpenRouter
python3 skills/api-billing/scripts/query_openrouter_balance.py

敏感信息保护

  • 凭证文件使用 Base64 编码存储
  • 文件权限设为 600(仅自己可读写)
  • 已加入 .gitignore,不会提交到 GitHub

Comments

Loading comments...