Is clawcost safe?

https://clawhub.ai/ShallIfy/clawcost

68
CAUTION

ClawCost is a cost-tracking skill with legitimate core functionality, but the installation phase raised significant concerns. AWS credentials and other sensitive files (.env, auth-profiles.json) were accessed during installation without any justification from the skill's stated purpose. While no outbound network activity was detected (meaning no active exfiltration occurred during monitoring), the combination of sensitive file access during install and the Python script's broad read access to full conversation session data warrants caution. The script itself contains a bug suggesting incomplete development.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

CRITICAL AWS credentials accessed during installation -40

Filesystem monitoring captured an OPEN and ACCESS event on /home/oc-exec/.aws/credentials during the skill installation process at 14:08:01. This high-value credential file containing AWS access keys has no legitimate relationship to a cost-tracking skill. Whether caused by the skill itself or the OpenClaw runtime during installation, this represents a significant security concern.

HIGH Sensitive files accessed during installation -30

Beyond AWS credentials, the installation process accessed .env, auth-profiles.json, and multiple OpenClaw config files. While some file access may be normal OpenClaw initialization, the breadth of sensitive file access during a simple skill install is concerning.

MEDIUM Session files contain full conversation data -15

The script parses ~/.openclaw/agents/main/sessions/*.jsonl files which contain complete conversation messages, not just usage metadata. While the script only extracts usage/cost fields, it has read access to all conversation history content.

MEDIUM Python script with broad filesystem capabilities -25

The skill executes a Python script with the user's full permissions. The script uses glob.glob() for file enumeration, Path.home() for home directory access, os.environ for environment variables, and creates directories with mkdir(parents=True). While used legitimately, these capabilities could be abused if the script is modified.

LOW Bug in JSON output mode references undefined variable -10

Line in the JSON format output block references 'args.user' but no --user argument is defined in the argparse configuration. Only a local 'user' variable exists. This would cause a crash in --format json mode, suggesting incomplete or modified code.

LOW Skill overrides agent presentation tone and formatting -8

SKILL.md dictates specific presentation style ('Friendly, like a helpful assistant'), emoji usage, and formatting rules that override the agent's default behavior. Uses 'IMPORTANT' emphasis to prioritize its alert instructions.

LOW Username leaked in output -10

The script includes the $USER environment variable in its JSON output, which gets displayed to the agent and potentially logged.

INFO Empty auditd process execution logs -10

The auditd process execution monitoring returned empty results. While this could mean no suspicious processes were spawned, it could also indicate that audit logging was not properly configured or was evaded.