Skillv1.0.0

ClawScan security

OpenClaw Cost Guardian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 25, 2026, 8:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (cost monitoring and automatic model switching) is plausible, but the instructions assume access to agent/internal usage data and the ability to change settings while the metadata declares no required permissions or install—this mismatch is concerning and needs clarification before use.
Guidance: Before installing or enabling this skill, ask the publisher/platform these concrete questions: (1) Exactly how does the skill obtain per-session and historical token usage? Is that telemetry provided by OpenClaw, or does the skill require access to logs/config files? (2) Will the skill be granted permission to change default models or agent configuration? If so, what changes can it make and how are they authorized by the user? (3) Where and how are daily reports or alerts delivered (chat only, email, external endpoint)? Are any external destinations used? (4) Can you run the skill in a read-only mode (monitoring + recommendations) before allowing it to perform automatic switches? (5) Request a precise list of required platform permissions, data access scopes, retention policy for usage data, and an option to disable automatic actions. If those details are not provided and auditable, treat the skill as higher risk and avoid granting it persistent or configuration-modifying privileges.

Review Dimensions

Purpose & Capability: noteThe skill's functionality (token monitoring, model recommendations, budget alerts) matches its name and description. However, the SKILL.md repeatedly requires reading '当前Token消耗' and 'OpenClaw配置' and performing '自动监控每次对话' and '自动推荐/切换模型' without declaring any required environment variables, config paths, or privileges. That omission is inconsistent: a legitimate cost-monitor would need access to per-session/token telemetry and the ability to alter configuration or trigger model switches.
Instruction Scope: concernRuntime instructions tell the agent to read OpenClaw configuration, current token consumption, model lists/prices, continuously monitor each conversation, send daily reports, and (optionally) switch models or enable local models. The SKILL.md does not specify where to get token metrics, how reports are delivered, or how model switching is executed. These steps entail reading platform telemetry and changing user/agent settings — scope that goes beyond a simple read-only helper and is not justified or constrained.
Install Mechanism: okInstruction-only skill with no install spec and no code files; this is low install risk because nothing is written to disk or fetched at install time.
Credentials: concernThe skill requests no credentials or config paths in metadata, yet expects access to potentially sensitive runtime telemetry (per-session token counts, model usage) and the ability to change default models and system behavior. Either the platform provides these implicitly (possible) or the SKILL.md is assuming elevated access without declaring it — that mismatch is concerning because it hides required privileges.
Persistence & Privilege: concernMetadata shows always:false (not force-installed) and autonomous invocation allowed (normal). But the prose promises '激活后自动运行' and '自动监控每次对话' and '每日发送成本报告', implying ongoing/background monitoring and automated actions. This conflicts with the declared flags and lacks detail about the mechanism, frequency, or user approval for ongoing operation. Background monitoring plus model-switching capability raises the potential blast radius if misused.