api-quota-monitor
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The Python script
scripts/query_quota.pyretrieves sensitive credentials from environment variables, includingOPENROUTER_API_KEY,MINIMAX_API_KEY,XAI_MGMT_KEY,BRAVE_API_KEY,TAVILY_API_KEY, andSERPER_API_KEYto authenticate quota queries. - [DATA_EXFILTRATION]: The skill reads the local file
~/.openclaw/auth-session-state.jsonto detect configured providers. It also transmits the retrieved API keys to external domains for authentication during quota checks. - [EXTERNAL_DOWNLOADS]: The script performs network requests to multiple external API endpoints, such as
api.minimax.chat,openrouter.ai,management-api.x.ai,api.search.brave.com,api.tavily.com, andserper.dev, to fetch balance and usage data. - [COMMAND_EXECUTION]: The
SKILL.mdfile contains instructions for executing the monitoring script via the shell and suggests setting up acronjob for periodic execution.
Audit Metadata