中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
daily-cost-report
Generate daily OpenClaw cost reports with breakdown by agent/model/channel. Supports markdown, HTML email delivery, and cron scheduling.
Legitimate cost reporting skill with clean implementation. All functionality is declared, no credential harvesting, no data exfiltration, no obfuscation, and no hidden behavior detected.
Skill Namedaily-cost-report
Duration29.5s
Enginepi
Safe to install
This skill is safe to use. Continue standard deployment practices.

Findings 1 items

Severity Finding Location
Low
Hardcoded binary path Doc Mismatch
Uses hardcoded path $HOME/homebrew/bin/openclaw for the OpenClaw CLI. This is acceptable for a CLI tool but could be improved with PATH lookup.
OPENCLAW_BIN="$HOME/homebrew/bin/openclaw"
→ Consider using 'which openclaw' or checking PATH first for broader compatibility.
 scripts/daily-cost-report.sh:11
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned Writes to /tmp for report output
Network READ READ ✓ Aligned Uses openclaw binary to fetch session data
Shell NONE WRITE ✓ Aligned bash scripts invoke jq/awk/mail
1 findings
📧
Info Email 邮箱地址
[email protected]
SKILL.md:30

File Tree

4 files · 19.2 KB · 684 lines
Shell 3f · 504L Markdown 1f · 180L
├─ 📁 scripts
│ ├─ 🔧 daily-cost-report-email.sh Shell 180L · 4.8 KB
│ ├─ 🔧 daily-cost-report.sh Shell 268L · 7.4 KB
│ └─ 🔧 send-cost-report.sh Shell 56L · 1.9 KB
└─ 📝 SKILL.md Markdown 180L · 5.1 KB

Security Positives

✓ No credential harvesting or environment variable theft
✓ No base64 encoding or obfuscation
✓ No external network calls except via local openclaw binary
✓ No curl/wget remote script execution
✓ All functionality declared in SKILL.md matches implementation
✓ Proper use of set -euo pipefail for error handling
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ Temp files properly cleaned up (rm -rf $TEMP_DIR)
✓ No reverse shell or C2 indicators