Token Stats

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears purpose-aligned: it locally reads OpenClaw session logs to report token usage, so its output may reveal private usage or session-label details.

This looks reasonable for a token-usage reporting skill. Before installing, be aware that it scans local OpenClaw session JSONL files and can include deleted or backup history if requested; review any generated report before sharing it.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI06: Memory and Context Poisoning

What this means

Running the skill can reveal aggregate activity, dates, token counts, and possibly session labels from local OpenClaw history.

Why it was flagged

The skill reads persistent OpenClaw session-history files, and optionally deleted or backup session files, to calculate token statistics. This matches the stated purpose but involves local session-history access.

Skill content

base = os.path.expanduser("~/.openclaw/agents/%s/sessions/" % agent_id)
patterns = [base + "*.jsonl"]
if include_deleted:
    patterns.append(base + "*.jsonl.deleted*")
    patterns.append(base + "*.jsonl.bak*")

Recommendation

Use it only when you want local token accounting, and avoid sharing its text or JSON output if session labels or usage history are sensitive.