ClawHub

Token Usage Tracker

v1.0.0

Token usage logging, alerting, and context-compression utilities for OpenClaw. Use when you want to track per-call token usage, normalize timestamps, and red...

0· 312·0 current·0 all-time
by@gerhardvr26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (token logging, alerts, summarization) match the provided scripts. All scripts operate locally, use only standard Python libraries, and require no external credentials or unrelated binaries.
Instruction Scope
SKILL.md instructs installing/wiring example scripts into your pipeline and using the summarizer. The scripts do perform filesystem actions (create ./skills/logs, append JSONL logs, replace files during migration/dedupe). The README and SKILL.md state the examples are safe and won't change system services automatically — this is true for services, but the scripts do modify local disk state (logs, tmp files). Also token_alerts includes a comment about replacing prints with webhooks; while not active by default, modifying scripts to post externally could exfiltrate logged data. The interceptor will process message payloads (which may contain sensitive content) and forward logging info, so review/redact before use.
Install Mechanism
There is no install spec (instruction-only). The package contains example Python scripts only — no downloads, packaged installers, or remote code execution. Risk from install mechanism is low.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond the provided skill-config.json. Log files are written under a relative ./skills/logs by default; this is proportional to the stated logging purpose.
Persistence & Privilege
always is false; the skill does not request persistent platform privileges or modify other skills. Scripts write and rotate/replace local log files under their own paths only.
Assessment
This skill appears to do exactly what it says: local token accounting, timestamp conversion, simple summarization, and example alerting. Before installing or deploying: 1) Read the scripts (they are small) and choose a safe log_folder (not a world-readable or system directory). 2) Restrict filesystem permissions for the log folder and consider rotating/retention to avoid unbounded disk growth. 3) Audit what you log — call payloads may include sensitive data; add redaction or avoid logging full contexts if privacy is a concern. 4) Do not enable or add webhook/web network calls (token_alerts hints at this) unless you trust the endpoint and sanitize data. 5) If you deploy the systemd example, update ExecStart path and User from the sample values before enabling. 6) Test in a controlled environment first. Overall: coherent and low-risk if used as-local examples and properly configured.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4s3p48nnjsref10snxmxf182178mmonitoringvk97f4s3p48nnjsref10snxmxf182178mtokensvk97f4s3p48nnjsref10snxmxf182178mtoolingvk97f4s3p48nnjsref10snxmxf182178m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments