ClawHub

Botlington Agent Token Audit

v1.0.0

Trigger an Agent Token Audit via Botlington's A2A endpoint. Use when you want to audit an AI agent's token efficiency — identifies model waste, context bloat...

0· 93·0 current·0 all-time
by@gary-botlington
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the SKILL.md: all instructions show how to call Botlington's A2A JSON-RPC endpoint to run a 7-turn audit or submit an agentConfig directly. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
Instructions stay within the audit purpose (start session, answer Gary's 7 questions, or submit agentConfig). However, the docs encourage submitting full agent configuration and may reference 'full-file-reads' context strategies; that could cause you to transmit large amounts of agent prompts, context and possibly sensitive data. The SKILL.md does not provide guidance on redaction or minimizing sensitive contents before sending.
Install Mechanism
Instruction-only skill with no install spec, no downloads, and no code files — low installation risk.
Credentials
The skill does not require stored credentials in its manifest. It expects you to purchase an API key from botlington.com and pass it as x-api-key or set API_KEY in your environment; that is proportionate to a paid external API. Be aware that the payloads you send (agentConfig, systemPrompts, full-file reads) may contain secrets or PII, but requesting those payloads is consistent with performing a thorough token audit.
Persistence & Privilege
Default privileges (always:false, agent invocation allowed). The skill does not request persistent presence or modify other skills; nothing here indicates elevated system privilege.
Assessment
This skill is coherent for calling an external paid audit service, but before using it: (1) Verify botlington.com is a legitimate service and review its privacy/security policies; (2) Avoid sending unredacted secrets, credentials, or full production data — redact API keys, passwords, and any PII from prompts and config you submit; (3) Prefer testing with a minimal, non-sensitive sample agentConfig first to confirm behavior; (4) Keep the purchased API key secure (do not commit it to source control) and rotate it if exposed; (5) If you must include context extracts, send only the minimal slices necessary for the audit. If you want higher assurance, request more provenance (homepage, owner identity) from the publisher before giving an API key or uploading sensitive configs.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qrcf46gjt98bszwt4kkded83md1g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments