ohmytoken
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s code matches its stated purpose, but it will automatically send model names and token counts to ohmytoken.dev using an API key.
Before installing, make sure you are comfortable sharing model names and token counts with ohmytoken.dev after each LLM response. The reviewed code matches the privacy description by sending only model, prompt token count, and completion token count, plus the ohmytoken API key for authentication.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ohmytoken.dev can receive a record of which models you use and how many input/output tokens were consumed over time.
The skill automatically performs a network report after LLM calls. This is disclosed and purpose-aligned, but users should notice that usage metadata is sent without a per-request prompt.
After each LLM call, this skill reports the **model name** and **token count** (input + output) to ohmytoken.dev.
Install only if you are comfortable with automatic token-usage telemetry to ohmytoken.dev; disable or remove the skill if you do not want that reporting.
Your token-usage reports are associated with your ohmytoken account, and anyone with access to this API key could potentially submit usage data for that account.
The skill reads an ohmytoken API key from config or the environment and sends it to the ohmytoken API as an authentication header.
const key = config.api_key || process.env.OHMYTOKEN_API_KEY; ... "X-API-Key": key
Keep the OHMYTOKEN_API_KEY private, store it only where you trust the environment, and rotate or revoke it if it is exposed.