Scan Report
5 /100
openclaw-cost-guard
Static cost-governance review of OpenClaw configs to prevent denial-of-wallet incidents
This is a legitimate, well-scoped static cost-governance tool with no malicious behavior, no hidden functionality, and accurate documentation matching the implementation.
Safe to install
No action required. The skill is safe to use as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | scripts/cost-guard.mjs:14 — only reads the user-specified config path (default ~… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md explicitly declares 'node {baseDir}/scripts/cost-guard.mjs' execution; … |
File Tree
6 files · 11.8 KB · 329 lines JavaScript 2f · 155L
Markdown 3f · 139L
JSON 1f · 35L
├─
▾
references
│ └─
cost-playbook.md
Markdown
├─
▾
scripts
│ └─
cost-guard.mjs
JavaScript
├─
▾
tests
│ └─
test.mjs
JavaScript
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 5 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
node:fs | builtin | node.js | No | Node.js built-in module, no external dependencies |
node:os | builtin | node.js | No | Node.js built-in module |
node:path | builtin | node.js | No | Node.js built-in module |
node:assert | builtin | node.js | No | Node.js built-in module (test file only) |
node:child_process | builtin | node.js | No | Node.js built-in module, used only in test file for execFileSync |
Security Positives
✓ SKILL.md accurately describes all behavior — no doc-to-code mismatch
✓ Script performs only static JSON analysis with regex pattern matching; no side effects
✓ No network requests, no credential access, no file writes beyond config read
✓ No base64, eval, obfuscation, or suspicious constructs
✓ Dependencies: only Node.js built-in modules (fs, os, path) — no external packages
✓ Test suite validates expected behavior using a temporary config file
✓ All file/path access is scoped to the user-supplied config path