ClawHub

openclaw-tally

v0.3.1

Tokens tell you how much you paid. Tasks tell you what you got. Tally tracks every OpenClaw task from start to finish — cost, complexity, and efficiency score.

0· 420·0 current·0 all-time
byJonathan Jing@jonathanjing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The code, package.json, skill.json, and SKILL.md all implement a local task-detection, ledger, and analytics system. Required binaries (node/npm) and the native sqlite dependency (better-sqlite3) are expected for this purpose. No unexpected credentials, network access, or unrelated binaries are requested.
Instruction Scope
SKILL.md says the skill registers a message-post hook and processes every message's text but stores only metadata. The code contains task detector, ledger, and analytics logic and does not persist raw message bodies. There is a small surface to note: the DB includes intent_summary and outcome_summary fields (strings) — the current detector returns empty summaries, but future changes could populate those fields with snippets. Confirm intent_summary/outcome_summary behavior if you want guarantees that no message text is ever persisted.
Install Mechanism
No install spec in registry, but the package contains package.json and package-lock.json; installation uses standard npm which will fetch dependencies from npmjs.org (including better-sqlite3). This is expected for a Node skill. The SKILL.md explicitly warns about the native build step. No downloads from untrusted URLs or extract-from-arbitrary-host steps were found.
Credentials
The skill requires no environment variables or external credentials. File system access is limited to ~/.openclaw/tally/ (and tests allow /tmp). package.json/repo metadata points to a GitHub repo — not a secret or unrelated service. Overall requested environment access is proportional to the stated purpose.
Persistence & Privilege
The skill is not always-on and does not request elevated privileges. skill.json declares filesystem write/read only under ~/.openclaw/tally/, network: none, and exec: false. The code enforces a hardcoded default DB path within the user homedir and validates custom paths to /tmp; no modifications to other skills or system configs were observed.
Assessment
This skill appears coherent and local-only: it needs node/npm and will run npm install (including a native build for better-sqlite3) and write a SQLite DB at ~/.openclaw/tally/tally.db. Before installing: 1) be prepared to run native builds (Node >=18) or install prebuilt binaries for better-sqlite3 on your platform; 2) if you require absolute assurance that no message content is stored, audit any code paths that might populate intent_summary/outcome_summary (currently detector returns empty summaries); 3) consider running it in a test user account or VM to verify behavior and DB location; and 4) review the GitHub repo (package.json points to https://github.com/JonathanJing/openclaw-tally) if you want source provenance. Minor notes: src/index.js exports VERSION '0.1.0' while package/skill metadata are 0.3.1 (version mismatch only).

Like a lobster shell, security has layers — review code before you run it.

latestvk9738mj2nnw2w977dhpt36jzmh8296f5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Any binnode, npm

Comments