Is kyya/balance-checker safe?

query_balance.py reads the entire ~/.openclaw/openclaw.json configuration file to retrieve Volcengine credentials. This config file may contain all user environment variables including other API keys, tokens, and secrets. While the code only extracts VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY, the full file is parsed into memory as a Python dict, making all contents available to the running process.

The skill sends user API keys (DEEPSEEK_API_KEY, MOONSHOT_API_KEY, VOLCENGINE_ACCESS_KEY/SECRET_KEY) over HTTPS to their respective provider APIs. While this is the skill's declared and intended purpose, users should understand that executing this skill transmits credentials externally. A compromised provider endpoint or MITM attack could capture keys.

setup_volcengine.sh installs volcengine-python-sdk from PyPI using pip. This introduces a supply chain dependency on a third-party package. If the PyPI package is compromised or typosquatted, arbitrary code could execute during installation. The package name corresponds to a legitimate Volcengine SDK but was not verified against a hash or pinned version.

setup_volcengine.sh runs chmod +x on volcengine_balance.sh and setup.sh, neither of which exists in the repository. The script uses set -e, so it will exit with an error after installing the SDK. Users will see a failed installation and may be unable to use Volcengine balance queries without manual intervention.

When triggered, the skill reveals which AI API providers the user has configured by checking for the presence of specific environment variables. An attacker who could cause this skill to run (or chain it with another skill) would learn which API services the user subscribes to and whether those services are active, enabling targeted credential theft attempts.

The skill triggers on generic terms like '余额多少' (how much balance) and '还有多少额度' (how much quota remains) which are common in general financial or subscription discussions. An agent handling billing questions or bank-related queries could unintentionally trigger this skill, potentially leaking that the user has API accounts with specific providers.

Filesystem monitoring detected accesses to canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at timestamp 1771902766, which is approximately 6 seconds BEFORE the git clone began at 1771902772. A second access batch at 1771902790 occurred after install completion. Both batches are consistent with the oathe audit harness performing pre/post-install baseline checks. No skill code references these paths.

Network monitoring shows only connections to 140.82.121.4:443 (GitHub) during the clone phase. No unexpected outbound connections, no DNS exfiltration, no background processes established. Connection diff shows no new listening ports or persistent connections after install.