ClawHub

Token Burn Monitor

v5.3.1

Real-time token consumption monitoring dashboard for OpenClaw agents. Tracks per-agent token usage, cost breakdown by model, cache hit rates, cron job status...

0· 389·3 current·3 all-time
byKaspar Chen@kasparchen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (per-agent token/cost/cron monitoring) matches the code and SKILL.md: server.js scans an agents directory for session JSONL files, reads a cron jobs file, computes token/cost stats and serves a localhost-only dashboard. Declared filesystem reads (agents sessions and cron jobs) are expected for this purpose.
Instruction Scope
SKILL.md and server.js limit activity to local reads, serving a localhost-only GET API and static theme files. Important privacy note: session files can include user prompts; prompts are redacted by default but will be returned (up to 300 chars) if SHOW_PROMPTS or config.showPrompts is enabled. The instructions do not attempt to read unrelated system files or make outbound network requests.
Install Mechanism
No install spec; packaged as node scripts with start.sh/setup.sh. start.sh uses nohup node server.js and writes a PID/log to /tmp. No external downloads or package installs are performed by the provided scripts. Requires a Node.js runtime already present (documented).
Credentials
The skill does not request environment secrets and only references OPENCLAW_AGENTS_DIR, OPENCLAW_HOME and PORT (all appropriate for discovering sessions and cron data). The only sensitive data access is reading session JSONL files (explicit and justified by the dashboard purpose); the SKILL.md documents redaction behavior and opt-in for showing prompts.
Persistence & Privilege
The skill is not always-enabled and uses normal service scripts (start/stop) that affect only its own process and PID file; it does not modify other skills or global agent settings. Autonomous invocation (model invocation) is allowed by platform default but not combined with other concerning privileges here.
Assessment
This package is coherent for running a local token/cost dashboard, but consider the following before installing: (1) session JSONL files may contain sensitive user prompts — keep showPrompts disabled (default) unless you explicitly trust the machine and purpose; (2) inspect any custom themes you add before enabling them (themes are served to localhost and could display or fetch data if modified); (3) verify you have a trusted Node.js runtime and run it on a machine where local-only access is acceptable; (4) the published source/homepage are unknown in the registry metadata — if provenance matters, obtain the repository or author contact and verify integrity before production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr5sqkjbrhpjqsz92kmymz582qrys

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments