toll
v1.0.5Track and display token usage statistics and estimated USD costs from Claude Code and Codex CLI sessions
⭐ 0· 195·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the behavior: the skill runs the 'toll' CLI and aggregates Claude Code and Codex CLI logs. However, the skill metadata declares no required config paths while SKILL.md explicitly says it reads ~/.claude/projects/**/*.jsonl and ~/.codex/sessions/. The missing config-path declaration is an incoherence (the skill will access those files even though metadata doesn't list them).
Instruction Scope
Runtime instructions are narrowly scoped: check for the toll binary, parse user intent, run toll with the requested flags, and present results. The instructions reference specific local log paths (home directory) which is expected for this purpose and do not instruct transmission of data to external endpoints. Note: reading those logs can expose usage data and potentially API keys if present in the logs.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), but SKILL.md advises installing via 'curl -fsSL https://raw.githubusercontent.com/.../install.sh | sh' or 'cargo install toll'. Piping an arbitrary raw GitHub script to sh is higher risk than using a package manager; this is a user-level install recommendation inside the instructions and not performed automatically, but users/agents should avoid blind curl|sh installs and prefer verified releases or cargo where possible.
Credentials
The skill declares no required env vars or credentials and only needs the toll binary plus read access to the user's Claude/Codex log paths. That is proportionate to the stated function. Caveat: logs may contain sensitive tokens or other secrets — the skill will read those files to produce reports.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs in its instructions, and is user-invocable. There is no indication it requires persistent elevated privileges.
Assessment
This skill appears to do what it claims: run the 'toll' CLI to parse local Claude/Codex logs and report token counts and cost estimates. Before installing or running it: (1) review the upstream repository and the install script instead of running curl | sh blindly — prefer cargo install or a verified release; (2) be aware the tool will read files under ~/.claude and ~/.codex which might contain sensitive information (API keys or full prompts) — only allow if you trust the tool and have inspected the repo; (3) note the skill metadata did not declare the config paths it reads, so expect local file access even though it's not listed in requirements; (4) if you need tighter control, run 'toll' locally yourself and paste sanitized output to the agent rather than giving the agent direct file access or running unreviewed installers.Like a lobster shell, security has layers — review code before you run it.
latestvk970c89m6c2vdgeykfcp9zdk4d82sxsq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binstoll