ClawHub

ohmytoken

v2.0.3

Visualize your AI token usage as real-time pixel art with customizable boards, animations, achievements, and social sharing powered by ohmytoken.

0· 376·1 current·1 all-time
bya1pha@0x5446
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say it visualizes token usage; the skill requires a single OHMYTOKEN_API_KEY and its code posts model + token counts to api.ohmytoken.dev — this is proportionate and expected for the described feature.
Instruction Scope
SKILL.md and instructions.md explicitly instruct adding OHMYTOKEN_API_KEY and claim only three fields (model, prompt_tokens, completion_tokens) are sent. The runtime code (src/index.ts) sends exactly those fields and nothing else; it does not read other files or env vars.
Install Mechanism
No install spec is present (instruction-only). There is a small code file included but nothing that downloads or executes external installers. No high-risk install URLs or archive extraction.
Credentials
Only OHMYTOKEN_API_KEY is required (declared in claw.json and SKILL.md). That single API key is appropriate for authenticating usage reports; no unrelated credentials or broad environment access are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or system-wide privileges. It uses the normal onLLMResponse hook and does not modify other skills or agent configuration.
Assessment
This skill appears internally consistent, but note that the remote service (api.ohmytoken.dev) will see your model names, token counts, and your IP address and can attribute activity to the provided API key. If you care about linking usage to your identity, review the open-source repo at https://github.com/0x5446/ohmytoken-oss, check the service's privacy policy, and consider using a dedicated or limited-scoped API key. If you want extra assurance, audit the published source before installing or use a throwaway key.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pcde3tdjvgeqzj6snb7em581y7fm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments