tokenmeter

What to consider before installing/running this skill: - Review the repository before auto-install: SKILL.md instructs the bot to git clone a remote repo and pip install it into a venv. That will execute code downloaded from the network. Verify the repo URL and contents (note the SKILL.md clone URL differs from pyproject.toml metadata). - Prefer manual installation: instead of letting the agent run the clone/install automatically, run the steps yourself in a controlled environment (or an isolated VM/container) so you can inspect code and dependencies first. - Expect local files to be read/written: tokenmeter reads session JSONL files (e.g., ~/.clawdbot/agents/*/sessions/*.jsonl and ~/.claude/projects/*/sessions/), writes DB at ~/.tokenmeter/usage.db, and creates a venv at ~/clawd/tokenmeter/. This is normal for the stated purpose but be comfortable with those paths being accessed. - Environment keys will be probed if you run fetch: the tool scans for common provider API keys and may call provider APIs. If your runtime has provider API keys in environment variables, the skill may use them to query usage. If you don't want that, remove keys from the environment or avoid the fetch command. - Watch for proxy/webhook features: README mentions proxy and webhook integration — these could forward data externally if configured. If you plan to use proxy features, verify where data is sent and ensure you trust the endpoint. - If uncertain, inspect the following files first: fetcher.py (env scanning and HTTP calls), importer.py (parsing local session files), and any files that implement proxy/webhook behavior. Check for hard-coded external endpoints or telemetry logic. If you review the code and trust the source, the skill is coherent for its purpose. If you cannot verify the repo, treat the automatic install/execute behavior as a risk and avoid auto-running the install steps.