Is dasweltall/openclaw-cost-guard safe?

https://github.com/openclaw/skills/tree/main/skills/dasweltall/openclaw-cost-guard

84
SAFE

openclaw-cost-guard is a legitimate cost-tracking skill with no detected prompt injection attacks, malicious code, or active data exfiltration. The primary concerns are the broad wildcard access to session JSONL logs (which may contain sensitive conversation content beyond token counts), an executable Python script invoked by the agent, and a behavioral playbook that constrains agent verbosity when triggered. No canary files were modified, no unexpected network connections were made, and the clone operation was clean.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM Broad session log read access -20

SKILL.md instructs the agent to read all JSONL session files under ~/.openclaw/agents//sessions/ and ~/.clawdbot/agents//sessions/ using wildcard globs. These logs are documented to contain per-call usage data but in practice also store full message payloads, system prompts, and tool call results from prior sessions. The access is wider than required for cost aggregation alone.

LOW Token-saving playbook imposes behavioral constraints -15

The skill embeds a set of response-shaping rules that are injected into the agent's system context and activate when the user utters a specific trigger phrase. Rules include hard limits on output length, web iteration count, and log verbosity. While opt-in and legitimate in spirit, these rules alter agent decision-making in ways the user may not fully anticipate.

LOW Executable Python script invoked by agent -18

The skill ships scripts/extract_cost.py and directs the agent to execute it directly via python3. The script is well-structured stdlib-only Python with no obfuscation, but it does execute with the user's filesystem permissions and reads files from the home directory. Any future modification of this script (e.g. via supply-chain update) would execute with no further review gate.

LOW Canary/honeypot files read during audit window -10

All six honeypot credential files were opened and read (CLOSE_NOWRITE) twice during the monitoring period. Timing analysis places both accesses within the audit infrastructure's own scanning activity (pre-install setup and post-install integrity check) rather than any skill-controlled process. Files were not modified and no correlated network exfiltration was observed, but the read events are noted.

INFO Session log content creates indirect sensitivity exposure -28

While the skill does not exfiltrate data itself, directing the agent to parse session JSONL files means the agent loads potentially sensitive prior-session content into its working context during a cost-check task. If another concurrently loaded skill had an exfiltration channel, the session data would be within scope.