openclaw-tally
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local task-cost analytics skill, but it continuously reads OpenClaw messages and keeps a local usage ledger, so review that privacy tradeoff before installing.
Before installing, confirm you want continuous local analytics for all OpenClaw messages. The provided code shows local SQLite storage and no runtime network or credential use, but the database can reveal your AI task history and npm installation uses a native dependency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may see sensitive text that appears in OpenClaw conversations, even though the artifacts say raw message text is not stored or sent externally.
The skill reads all message text locally to detect task boundaries and persists usage metadata. This is disclosed and purpose-aligned, but all conversations pass through the detector.
**Hook**: This skill registers a `message-post` hook and processes **every message**. ... **No message text is stored** — only metadata ... is persisted to the database.
Install only if you are comfortable with continuous local message analysis; avoid putting secrets in chats, and remove the local database if you no longer want the usage history retained.
Someone with access to the local database could infer task history, models used, sessions, costs, and possibly high-level task descriptions.
The local database can store session identifiers and task intent/outcome summaries. These are not raw transcripts, but they can still reveal what the user was doing.
sessions TEXT DEFAULT '[]', ... intent_summary TEXT DEFAULT '', outcome_summary TEXT DEFAULT ''
Treat ~/.openclaw/tally/tally.db as private local data; delete or protect it if the task history is sensitive.
After installation, it will continue participating in message processing until disabled or uninstalled.
The skill is installed as an ongoing message hook rather than only a manually invoked command.
"hooks": ["message-post"], "commands": ["/tasks"]
Use it only if you want ongoing analytics; disable or uninstall the skill to stop continuous tracking.
Installation may compile native code and depends on the integrity of npm dependencies.
The install path depends on npm packages and a native addon build. This is disclosed and aligned with local SQLite storage, but it relies on package provenance and local build execution.
**Native dependency**: Requires `better-sqlite3` (native Node.js addon). Installation runs `npm install` which triggers a native build step.
Install from a trusted source, keep Node/npm up to date, and review the package lock or repository if you require stronger supply-chain assurance.