AI Usage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—report AI usage—but it reads local Claude credentials and OpenClaw session logs, so users should be comfortable with that access.
This skill is reasonable for checking AI usage if you trust it. Before installing or scheduling it, review the script, confirm it only sends the Claude OAuth token to Anthropic's usage API, and be careful about sharing reports that include provider, model, token, request, quota, or cost information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the user's existing Claude authentication to query account usage information.
The skill intentionally reads a local Claude OAuth credential to call Anthropic's usage API. This is disclosed and purpose-aligned, but credential access is sensitive.
using Claude Code's OAuth token from `~/.claude/.credentials.json`
Install only if you trust the skill with local Claude credentials; verify the script does not print, store, or send the token anywhere except Anthropic.
Reports may reveal which providers/models were used, approximate request counts, tokens, and costs.
The skill reads persistent OpenClaw session logs to compute usage statistics. The described output is aggregate usage data, but the source files are local activity records.
Parses `~/.openclaw/agents/main/sessions/*.jsonl` for per-provider/model token and cost data
Avoid sharing generated reports if usage patterns are private, and set `OPENCLAW_SESSIONS_DIR` only to log directories you intend the skill to read.
Running the usage check may trigger a small Claude Code invocation and network activity for token refresh.
The script invokes the local Claude CLI to refresh the OAuth token. This is disclosed in SKILL.md and scoped to a minimal command, but it is still local command execution.
subprocess.run(["claude", "--print", "-p", "ok"], capture_output=True, timeout=30)
Run it manually first, confirm the local `claude` CLI is the expected binary, and be aware that scheduled checks may make repeated refresh calls.
Users have less external provenance information to help decide whether to trust the skill.
The artifact provides limited provenance information. This is not suspicious by itself, but it matters more because the included script reads local credentials and session logs.
Source: unknown; Homepage: none
Review the included script locally and prefer installing from a source or publisher you trust.