ClawHub

Zai Usage

v1.1.0

Monitor Z.AI GLM Coding Plan usage and quota limits. Track token consumption, view reset times, and check subscription status.

0· 307·0 current·0 all-time
byDaniel Vecera@1vecera
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and documentation all target Z.AI usage monitoring and call a single API endpoint (https://api.z.ai/api/monitor/usage/quota/limit), which is consistent with the skill description. However, one script (scripts/check-usage.sh) expects a variable named ZAI_API_KEY and suggests retrieving a key from /dashboard, while the README/SKILL.md and the other scripts use ZAI_JWT_TOKEN taken from browser localStorage. This mismatch is unexplained and unnecessary for the described purpose.
Instruction Scope
Runtime instructions confine activity to reading a locally-stored token and calling the Z.AI API. The SKILL.md explicitly instructs the user to copy a JWT from browser DevTools (localStorage key z-ai-open-platform-token-production) — a sensitive operation but relevant to the stated task. The scripts search multiple local locations for the token (~/.openclaw/secrets/zai.env, SKILL_DIR/.env, ~/.zai.env, environment), which increases convenience but also broadens where the secret may be stored.
Install Mechanism
There is no install spec and no remote downloads. The skill is instruction-only with local shell scripts; nothing in the manifest causes arbitrary code to be fetched or executed at install time.
!
Credentials
The only secret the skill uses is a bearer token (JWT) for the Z.AI API, which is proportionate for a usage-monitoring tool. However, the aforementioned inconsistency between ZAI_JWT_TOKEN vs ZAI_API_KEY is suspicious: one script requires a differently-named credential and suggests a different retrieval path. Also, the skill instructs the user to extract a session JWT from browser localStorage — this token can grant account access and should be handled carefully. The skill reads secrets from multiple local paths, which is convenient but increases exposure if those files are not secured.
Persistence & Privilege
The skill does not request always:true, does not modify system-wide settings, and does not require any special persistent privileges. It only reads locally stored secrets and calls the Z.AI API.
What to consider before installing
This skill is mostly coherent for monitoring Z.AI usage, but review the following before installing: - Verify credential expectations: README and most scripts use ZAI_JWT_TOKEN (a browser session JWT), but scripts/check-usage.sh references ZAI_API_KEY and different guidance. Ask the author or update/remove the mismatched script to ensure you only provide the intended secret. - Treat the JWT as a sensitive credential: copying a token from browser localStorage can grant access to your account. Only store it in a secure file (e.g., ~/.openclaw/secrets/zai.env) with file permissions set to 600 and avoid committing it to git. - Prefer using least-privilege / short-lived credentials where possible. If Z.AI provides an API key mechanism with limited scope or expiration, use that instead of a full session JWT. - Confirm network behavior: the scripts only call https://api.z.ai/api/monitor/usage/quota/limit. If you see any other endpoints in future updates, review them carefully. - If you are uncomfortable extracting tokens from browser storage, contact Z.AI support or check whether they provide an official API key or OAuth flow for monitoring usage. Given the credential-name mismatch and the sensitive nature of the JWT extraction step, proceed only after resolving the inconsistency and ensuring secure handling of the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751za42ts8y0kc45yrn5fpd181xhve

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Z.AI Usage Monitor

Track your Z.AI GLM Coding Plan usage in real-time.

Quick Start

# Check usage
~/.openclaw/skills/zai-usage/scripts/usage-summary.sh

# Quick status
~/.openclaw/skills/zai-usage/scripts/quick-check.sh

Setup

  1. Get your JWT token from https://z.ai/manage-apikey/subscription

    • Open DevTools (F12)
    • Application → Local Storage → z-ai-open-platform-token-production

  2. Store in ~/.openclaw/secrets/zai.env:

    ZAI_JWT_TOKEN=eyJhbGci...

What You See

  • 5-Hour Quota - Rolling token usage with reset countdown
  • Monthly Quota - Monthly token allocation
  • Web Tools - Search/reader/zread call limits
  • Plan Level - Lite/Pro subscription status

Status Icons

IconUsage
< 50%
⚠️50-80%
🔴> 80%

Commands

Ask me:

  • "How's our Z.AI usage?"
  • "Check credit usage"
  • "Are we running low on credits?"

Requirements

  • curl - HTTP requests
  • jq - JSON parsing
  • bc - Number formatting (optional)

Sources

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…