API Cost Tracker
v1.0.0Track AI API costs across OpenAI, Anthropic, Google AI with budget alerts, analytics, and optimization tips
⭐ 0· 422·1 current·1 all-time
by@k5rs4n
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise real-time tracking across OpenAI, Anthropic, and Google AI using API keys and webhooks. The code, however, only computes costs from provided token counts, stores local demo entries, and does not integrate with provider APIs or fetch usage from those services. The listed optional env vars (OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_AI_KEY) are plausible for the described purpose but are not consumed by the CLI shown. Webhook alerting is present in config examples but the script contains no network/send logic for webhooks.
Instruction Scope
SKILL.md instructs users to set API keys, run automated tracking, add crontab entries, and configure webhooks. The runtime instructions in scripts/main.mjs (as provided) only create demo tracking entries, save to local data files, and print reports. Several advertised CLI commands (e.g., test-keys, alerts enable, check-budget, rebuild) appear in docs but are not implemented (the main script is truncated and the implemented commands shown are limited). This grants broad expectations to the user that the skill does not meet.
Install Mechanism
No install spec beyond normal npm usage. package.json lists no external dependencies and there are no network download/install steps. This is low install risk.
Credentials
Required env vars are reasonable for the declared purpose (API keys for the three providers) and are marked optional. However, the code shown does not read or use those env vars, so requesting them in docs/config.json is currently misleading. Do not assume keys will be used safely — they are not consumed in the visible code.
Persistence & Privilege
The skill does not request elevated privileges or persistent platform presence (always:false). It writes only to a local ./data directory. Autonomous invocation is allowed by default (normal for skills) but there is no evidence of the skill modifying other skills or system-wide settings.
What to consider before installing
This skill is inconsistent: the docs say it will read provider APIs, send webhook alerts, and use API keys, but the included script only simulates usage (creates demo entries and writes local JSON files). Before installing or providing any API keys: 1) Inspect scripts/main.mjs fully (and confirm whether it actually calls provider APIs or sends webhooks). 2) If you need real cross-provider tracking, ask the author for proof of implemented integrations or an updated release that actually uses the provider APIs securely. 3) Do not paste real API keys into config.json or environment variables unless you verify the code will use them as expected (and that network endpoints are legitimate). 4) If you plan to run automated jobs (cron/heartbeat), test in an isolated environment first. Confidence is medium because parts of the main script were truncated and tests expect exports that may not be present; additional information (full/main.mjs that includes API integration or explicit network code) would raise confidence and could change the verdict to benign if implementation matches documentation.Like a lobster shell, security has layers — review code before you run it.
analyticsvk971qjtq31g1d5pew9rv0deezd8232aqapivk971qjtq31g1d5pew9rv0deezd8232aqlatestvk971qjtq31g1d5pew9rv0deezd8232aqtrackingvk971qjtq31g1d5pew9rv0deezd8232aq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
EnvOPENAI_API_KEY (optional), ANTHROPIC_API_KEY (optional), GOOGLE_AI_KEY (optional)