by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is overall coherent with its stated purpose (local token/cost analysis) and does not call out to the network or require credentials, but there are documentation vs code mismatches you should address before running it. Actions to take before installing/running: 1) Inspect scripts/cost_analyzer.js yourself (it is included) to confirm it only reads the files you expect and only writes the report path. 2) Note the path mismatch: decide whether your session logs live in ~/.openclaw/agents/...详细分析 ▾
ℹ 用途与能力
The declared purpose — analyzing OpenClaw session logs and producing a local cost report — matches the included script's behavior. The script reads session-like JSON lines and computes token/cost stats and recommendations. However, the SKILL.md/README/SECURITY texts reference a different session path (~/.openclaw/agents/main/agent/sessions/*.jsonl) while the script's CONFIG.logsDir is ~/.openclaw/workspace/memory/conversations. This mismatch is likely an authoring/documentation error but could cause the tool to analyze the wrong files or miss logs.
⚠ 指令范围
Runtime instructions are straightforward (run node scripts/cost_analyzer.js analyze|quick) and otherwise local. But SKILL.md contains example shell commands that modify or delete files (e.g., find ~/.openclaw/workspace/memory -name "2026-*.md" -mtime +30 -delete) and other suggested commands (openclaw cron add/edit) that implicitly perform system changes if executed by the user. The script itself appears read-only except for writing the report; the documentation's 'no modifications' claim conflicts with suggested shell commands and with different log paths — this inconsistency broadens the agent's effective scope if a user follows the docs without review.
✓ 安装机制
No install spec or network downloads. The skill is delivered as code files (pure Node.js) and expects node to run it. This is low-risk compared with remote installers.
✓ 凭证需求
The skill requests no environment variables or credentials. It only accesses files under the user's home (reads logs, writes a report). No API keys or external services are required, which is proportionate for local cost analysis.
ℹ 持久化与权限
always is false and the script does not request elevated privileges. It writes output to ~/.openclaw/workspace/memory (report file) which is reasonable. There is no evidence the skill modifies other skills or global config. However the documentation suggests shell commands that can delete files — if users run those examples blindly they could cause data loss.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/26
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install oc-cost-analyzer
镜像加速npx clawhub@latest install oc-cost-analyzer --registry https://cn.longxiaskill.com