Is cost-report safe?
https://clawhub.ai/vincentqiu/cost-report
This cost reporting skill is functionally legitimate but presents meaningful security concerns. The cli.js file contains a shell injection vulnerability through improper argument escaping in execSync calls. The skill reads all session JSONL files across all agents, which contain far more sensitive data than just cost information, and the Discord integration creates a data exfiltration channel. While no active malicious behavior was detected during installation (no network calls, canary files intact), the combination of broad session log access, shell execution, and external messaging output warrants careful review before deployment.
Category Scores
Findings (10)
HIGH Shell injection via unescaped arguments in cli.js -30 ▶
cli.js constructs a shell command by wrapping each argument in double quotes but does not escape double quotes within the arguments themselves. An attacker-controlled argument containing a double quote followed by shell metacharacters could break out of the quoting and execute arbitrary commands.
HIGH Runtime chmod +x on shell script -15 ▶
cli.js executes chmod +x on the cost_report.sh script at runtime before executing it. While not malicious in itself, this pattern of modifying file permissions and then executing scripts is a code execution risk vector.
HIGH Direct execSync usage with constructed command strings -20 ▶
The cli.js file uses Node.js child_process.execSync to run shell scripts, constructing the command string from user input. This is inherently risky as it enables arbitrary code execution through the shell.
MEDIUM Broad session log access across all agents -25 ▶
The cost_report.sh script iterates over ALL agent directories and ALL session JSONL files in ~/.openclaw/agents//sessions/.jsonl. These files contain full conversation histories, tool call results, and API responses — far more data than just cost information. While the jq filter targets cost fields, the script has read access to all session data.
MEDIUM Discord reporting enables data exfiltration channel -15 ▶
The skill includes Discord output formatting and cron job examples that instruct the agent to send cost reports to Discord channels. This establishes a legitimate-looking data exfiltration channel. If the jq filters were modified (or if the raw grep output leaks data), sensitive information from session logs could be sent to external messaging platforms.
MEDIUM Hardcoded path traversal into user home directory -15 ▶
report_discord.sh contains a hardcoded cd into ~/.openclaw/agents/main/sessions and iterates over all JSONL files, piping content through grep and jq. This directly accesses user session data in the home directory.
MEDIUM Sensitive file access during installation -25 ▶
Filesystem monitoring detected access to /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the skill installation process. While this may be OpenClaw platform behavior rather than skill-initiated, a cost reporting tool should not need access to AWS credentials or .env files.
LOW Skill establishes session log parsing precedent -30 ▶
By normalizing the pattern of parsing all session logs, this skill creates a template that could be trivially modified to extract conversation content, API keys, or other sensitive data from the same JSONL files. A malicious fork would only need to change the jq filter expression.
LOW Shell injection could be chained with other skills -30 ▶
If another skill or automated cron job passes crafted arguments to the CLI (e.g., via the cron payloads), the shell injection in cli.js could be exploited to execute arbitrary commands in the context of the agent.
INFO SKILL.md is clean with no injection attempts -10 ▶
The SKILL.md file contains straightforward documentation with no hidden instructions, no persona manipulation, no unicode tricks, and no attempts to override system prompts or user preferences.