ClawHub

LLM Monitor

v0.7.5

Monitor and report usage, costs, quotas, and rate limits for LLM providers, plus manage clawmeter setup and daemon status securely.

1· 23·0 current·0 all-time
byDaniel Thomas@danielithomas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LLM usage/cost/quota monitoring and clawmeter management) match the instructions: checks for clawmeter, config skeleton, daemon status, and runs clawmeter to parse usage. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Instructions explicitly forbid handling credentials and avoid reading credential files; they direct the agent to run local clawmeter commands and to create a non-secret config skeleton. This is within scope. Note: the skill tells the agent to offer to install packages and start systemd services if the user consents — these are legitimate for the stated purpose but are sensitive actions that should only be run with explicit user approval.
Install Mechanism
No install spec in the registry (instruction-only). The runtime suggests using pip or an 'uv tool' to install clawmeter if the user agrees; using pip is appropriate for this purpose. No external download URLs or extract operations are present in the metadata.
Credentials
The skill declares no required environment variables or credentials and the SKILL.md reiterates a strict 'never accept/store credentials' rule. It asks users to configure credentials locally (keyring, key_command, env) rather than providing them to the agent, which is proportionate.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges. It may instruct installation of a daemon (systemd) when explicitly requested — the skill asks for user confirmation before modifying system services.
Assessment
This skill appears to do what it says: it uses your local clawmeter tool to report usage and manage the clawmeter daemon. Before installing or running it, consider: 1) the agent may run commands like 'pip install clawmeter' and 'clawmeter daemon install/start' if you explicitly say yes — installing packages and modifying systemd services are sensitive actions, so only consent if you trust the skill and the clawmeter package; 2) the skill explicitly forbids handling API keys or reading credential files, but you should still never paste secrets into the conversation; if you accidentally paste a key, rotate it immediately; 3) the skill will write a non-secret config skeleton to ~/.config/clawmeter/config.toml — review that file before adding credentials; 4) if you need stronger guarantees, review clawmeter's source/package before installing or run installation in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk977r45t0vgk5xadjxwg3tnc3s84qtds

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments