API Credit Health Bar Lite
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned for showing API credit balances, with disclosed optional API-key checks and local balance storage that users should configure carefully.
This appears safe for its stated purpose. Before installing, decide whether you want manual-only tracking or automatic API checks; if you enable auto-checks, use minimally scoped keys, keep them out of files, and protect the local config.json that stores balance information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When you ask for credit checks or updates, the agent may run local scripts and, for update actions, modify the local config file.
The skill intentionally lets the agent run local Python scripts. This is central to the stated purpose, but users should know the agent will execute local commands when triggered.
You run the scripts internally — the user never types `python3`... Run scripts with: `python3 <skill-root>/scripts/<script>.py <args>`
Use it when you are comfortable with the agent running these bundled scripts; prefer manual sync if you do not want automatic API checks.
If a broad API key is exposed or misused outside this skill, it could affect the associated provider account.
The OpenAI auto-check may require a high-privilege provider credential. The visible code uses it for billing balance checks, but the key itself is sensitive account authority.
Requires: OPENAI_API_KEY environment variable (org admin key, not user key)
Use the narrowest available billing/read-only key, keep keys in environment variables or a secure key manager, and do not enable auto-checks if you prefer not to grant provider credentials.
Anyone with access to the config file may see provider names, balance amounts, and sync times.
The skill stores account balance metadata locally across runs. This is expected for a credit tracker, but it is still persistent financial/account context.
`config.json` — Credit balances (dollar amounts only) - Timestamps of last sync - Provider names
Keep config.json private, follow the documented file-permission guidance, and avoid storing API keys in the config.
Installing optional packages adds normal third-party dependency risk.
The optional dependency installation is user-directed and purpose-aligned, but it is unpinned package installation from the Python package ecosystem.
Optional: install `requests` for API auto-checks: ```bash pip install requests ```
Install dependencies from trusted sources, consider pinning versions in controlled environments, and skip auto-check dependencies if you only need manual balance tracking.