Codesession
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: codesession Version: 2.5.1 The codesession skill is a utility designed to track AI agent session costs, token usage, and file changes using the codesession-cli tool. It provides a structured workflow for agents to log API calls, monitor budgets, and view analytics via a local web dashboard. The skill's instructions (SKILL.md) are transparent and strictly aligned with its stated purpose, and while it utilizes a local proxy and shell wrappers (cs run) to intercept token counts, these behaviors are documented as necessary for its functionality. No evidence of data exfiltration, malicious prompt injection, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill gives the agent access to run the locally installed cs command from the npm package.
The skill relies on installing and running a globally available npm CLI package. This is expected for the tool, but the user must trust that package as the executable implementation.
node | package: codesession-cli | creates binaries: cs
Install from the intended npm package source and review the package or repository if you require stronger supply-chain assurance.
The agent may run tracking commands during multi-step work without asking each time.
The skill explicitly expects the agent to invoke the CLI automatically for tracking. This matches the purpose, but it is still autonomous local tool use.
The OpenClaw agent will automatically use it to track sessions.
Use this skill if you want automatic session tracking; otherwise disable or avoid invoking it for tasks where you do not want local activity recorded.
Local session history may contain project names, changed file paths, commits, notes, token counts, and cost information.
The skill persists session data locally, including usage and project activity, which can be reused in dashboards, exports, and historical views.
Data is stored locally at `~/.codesession/sessions.db`.
Review and clear the local database when needed, and avoid adding sensitive information to session notes.
If interactive mode is used, local monitoring of file and git activity can continue until the process or session is ended.
The skill discloses a long-running local watcher mode. This is purpose-aligned for tracking but should be noticed because it continues monitoring until stopped.
Without `--json`, the process stays running with a live file watcher and git commit poller until you press Ctrl+C or run `cs end`
Prefer the documented agent JSON mode for short-lived command execution, and run `cs end` or stop the process when tracking is no longer needed.