Telegram Usage Stats
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims: display Clawdbot usage statistics, with local command and session-file access that are sensitive but purpose-aligned and disclosed.
Before installing, confirm you trust this package and the local `clawdbot` command it will run. The reviewed code is aligned with usage reporting, but it may touch local Clawdbot session data if the session-reader helper is used.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local `clawdbot` command is missing or not the one the user expects, the skill may fail or run an unintended local binary.
The skill depends on the local `clawdbot` CLI even though the registry requirements only list Node. This is a dependency-disclosure gap, not evidence of malicious installation.
- Pulls real-time data from `clawdbot models status`
Declare `clawdbot` as a required binary and install only where the local Clawdbot CLI in PATH is trusted.
Running the skill will execute the local Clawdbot status command to collect quota information.
The handler invokes a shell command. The command is fixed and matches the stated purpose of reading quota status, but it still executes local CLI code with the user's permissions.
const output = execSync('clawdbot models status', { encoding: 'utf-8' });Use only with a trusted Clawdbot installation; for hardening, prefer an explicit binary path or non-shell invocation.
If this helper is used, the skill can access local session metadata and transcript files under the user's Clawdbot directory.
The helper reads persistent Clawdbot session and transcript files to compute usage statistics. This is purpose-aligned, and the reviewed code outputs only usage fields, but those files may contain private agent session context.
const store = JSON.parse(fs.readFileSync(storePath, 'utf-8')); ... const lines = fs.readFileSync(transcriptPath, 'utf-8').trim().split('\n');Use it only where reading local Clawdbot session data is acceptable, and avoid sharing the generated usage report beyond the intended Telegram chat.