by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is internally consistent with its stated purpose and appears to only read local OpenClaw/Clawdbot session logs, store aggregates in a local SQLite DB, and render images via a headless browser. Before installing, consider: 1) The install step invokes pip and will download packages from PyPI (network activity during install). 2) The rendering dependency (html2image) requires Chromium; ensure you trust/verify the Chromium binary and/or the system package source. 3) The skill reads files ...详细分析 ▾
✓ 用途与能力
Name/description match the code and runtime requirements: the scripts parse local OpenClaw/Clawdbot session JSONL files, compute token/cost metrics, persist to a local SQLite DB, and render PNG reports using a headless Chromium via html2image. Required binaries (python3, chromium) and the OPENCLAW_WORKSPACE env var are used by the code.
✓ 指令范围
SKILL.md runtime instructions are narrowly scoped to syncing session logs, generating reports, and delivering images via the agent message tool. The scripts read filesystem session logs (under ~/.openclaw and ~/.clawdbot) and a local SQLite DB; they do not contain code that transmits data over the network or access unrelated system credentials.
ℹ 安装机制
This is an instruction-and-script skill with a pip install step (pip3 install -r requirements.txt). Installing will fetch dependencies from PyPI (network access during install). The runtime claims '100% local' and 'No External Calls', which is true at runtime, but the install step itself will contact PyPI. Also html2image or its dependencies can sometimes pull or require a local browser binary; the skill requires chromium to be present but some html-rendering libraries may attempt downloads if not found. This is expected for this functionality but worth noting.
✓ 凭证需求
Only OPENCLAW_WORKSPACE is requested and is used as the workspace/storage path. No credentials or unrelated secrets are required. The code reads user session log files (which may contain metadata about sessions) but only extracts usage/token counts and model names in the shown logic; it does not request API keys or other external credentials.
✓ 持久化与权限
The skill creates a local SQLite database and other report files under the workspace (default ~/.llm-cost-monitor or OPENCLAW_WORKSPACE). It does not request always:true and does not modify other skills' configurations. This level of persistence and file creation is appropriate for the described functionality.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux
版本
latestv1.1.32026/2/17
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install usage-visualizer
镜像加速npx clawhub@latest install usage-visualizer --registry https://cn.longxiaskill.com