ClawHub

Agent Tollbooth

v2.2.0

Web access privileges for your agent. So your agent stops hitting walls.

0· 128·0 current·0 all-time
by@highnoonoffice

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for highnoonoffice/agent-tollbooth.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Agent Tollbooth" (highnoonoffice/agent-tollbooth) from ClawHub.
Skill page: https://clawhub.ai/highnoonoffice/agent-tollbooth
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agent-tollbooth

ClawHub CLI

Package manager switcher

npx clawhub@latest install agent-tollbooth
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (map safe request patterns, caching, and logging) match the included scripts: check-profile, web-log, promote-profile, fetch-prices, and fetch-crypto. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to read bundled profiles and to read/write only under $OPENCLAW_WORKSPACE/data/agent-tollbooth — the scripts do this. Caveat: several scripts include a fallback that will create/read a local data/ directory inside the skill bundle if OPENCLAW_WORKSPACE is not present, which contradicts the SKILL.md claim 'never modifying packaged files.' The skill logs event details (service, event_type, detail) to the workspace; those logs may include service names and diagnostic text but do not appear to capture credentials.
Install Mechanism
Instruction-only with packaged Python scripts; no external installers, downloads, or extract steps. No third-party package pulls declared in an install spec.
Credentials
The skill requires no environment variables or credentials beyond the optional OPENCLAW_WORKSPACE path (standard for OpenClaw). Profiles reference many APIs (OpenAI, Stripe, etc.) only as documentation; the skill itself does not request those secrets.
Persistence & Privilege
always:false and no autonomous privilege escalation. Writes are limited to the workspace data directory (or the local bundle fallback if workspace isn't set) and to a workspace profiles.md when --write is used; it does not alter other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: log web-access events, recommend safe call patterns, cache price responses, and draft profiles from observed events. Before installing: 1) Ensure OPENCLAW_WORKSPACE is set to a controlled directory so logs and cache files are written outside the packaged files (otherwise the scripts may create a local data/ folder inside the skill bundle). 2) Be aware the scripts make outbound requests to services like Yahoo Finance and CoinGecko when used (so they will generate network traffic). 3) The promote step (--write) appends drafted profiles to the workspace profiles.md only when you explicitly pass --write — review drafts before writing. 4) If you want stricter containment, run these scripts with network or filesystem restrictions or review/redirect the workspace path to a dedicated directory. Overall: coherent and proportionate to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk972457cfdr5998brnv3acn20h855rt6
128downloads
0stars
19versions
Updated 1w ago
v2.2.0
MIT-0
@highnoonoffice
latest
Download

Agent Tollbooth

You're mid-task. Your agent fires a Yahoo Finance request. Gets a 429. Stops. You don't know if it's rate limits, a bad endpoint, a missing header, or just bad luck. You try again. Same thing. You start debugging blind.

Tollbooth is the field notes that stop this from happening twice. Observed operating profiles for 16 external services — safe endpoints, sleep intervals, caching patterns, auth requirements — built from real API friction. Your agent checks the profile before calling, follows the safe pattern, and logs what happens. Next time it already knows.

Every external service has a threshold. This skill provides the map so agents learn them once and stop hitting them twice.

Core Pattern

Before calling any external service:

  1. Check references/profiles.md for an existing profile
  2. Follow its safe pattern — endpoint, sleep, cache, auth
  3. If no profile exists, observe behavior and add an entry after

Caching

Always cache prices and API responses locally when TTL allows.

  • Default TTL: 300s (5 minutes) for prices
  • Cache file: $OPENCLAW_WORKSPACE/data/agent-tollbooth/cache/
  • Serve from cache first — only hit the API when stale or forced

Script: scripts/fetch-prices.py implements cache + sequential Yahoo Finance fetching. Use it instead of raw requests. CoinGecko and other services are covered by profiles in references/profiles.md.

How It Learns

Tollbooth grows with your usage. Three scripts form the learning loop:

Before any external call:

python3 scripts/check-profile.py coingecko.com

Returns the safe pattern if a profile exists. If not, logs the miss and returns exit code 1 — your agent can continue, but observation has started.

During any call — log what happens:

from scripts.web_log import log_event
log_event("my-api.com", "429", "hit rate limit at 10 req/min", worked=None)
log_event("my-api.com", "success", "sequential 500ms sleep worked", worked="sequential + 500ms sleep")

After enough observations — promote to a profile:

python3 scripts/promote-profile.py           # dry run, see what's ready
python3 scripts/promote-profile.py --write   # append drafts to profiles.md

Default threshold: 5 events. Auto-drafted profiles include all observed friction and working patterns. Review before trusting — they're drafts, not finished entries.

Events are written to $OPENCLAW_WORKSPACE/data/agent-tollbooth/web-access-log.json — outside the skill bundle, never modifying packaged files. Cache files go to $OPENCLAW_WORKSPACE/data/agent-tollbooth/cache/. Set OPENCLAW_WORKSPACE before running (standard on any OpenClaw install).

Workspace Access

This skill writes event logs and cache files to $OPENCLAW_WORKSPACE/data/agent-tollbooth/. No credentials are accessed. No sensitive data is written. No files outside this directory are touched.

Service Profiles

See references/profiles.md for all current profiles:

  • Yahoo Finance
  • CoinGecko
  • Ghost Admin API
  • ClawHub API
  • Telegram Bot API
  • Replicate
  • OpenAI API
  • Anthropic API
  • GitHub API
  • Brave Search API
  • Serper (Google Search)
  • Notion API
  • Airtable API
  • Stripe API
  • HuggingFace Inference API
  • Firecrawl

Comments

Loading comments...