Token Burn Monitor
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local cost-monitoring dashboard, but it reads agent session logs and runs a background localhost server, so review the privacy settings before using it.
Install only if you are comfortable with a local dashboard reading your OpenClaw agent session and cron files. Keep `showPrompts` disabled unless you need prompt debugging and trust the machine, review any custom themes before enabling them, and stop the background server when you are done.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The dashboard can reveal agent usage, tool names, costs, cron status, and—if explicitly enabled—prompt snippets from local session history.
The dashboard reads all configured OpenClaw agent session logs and cron data, which may include private task metadata or prompts. Redaction is enabled by default, which keeps this purpose-aligned but still privacy-sensitive.
filesystem read: "$OPENCLAW_AGENTS_DIR/*/sessions/*.jsonl" ... "$OPENCLAW_HOME/cron/jobs.json"; "User prompts redacted by default ... opt-in via `showPrompts: true`"
Leave prompt display disabled unless you are on a trusted single-user machine, and set OPENCLAW_AGENTS_DIR/OPENCLAW_HOME only to directories you intend this dashboard to read.
A local server will continue running and serving dashboard data on localhost until it is stopped.
The script starts the dashboard as a background local service and records its PID. This is disclosed and includes stop/status controls, but it persists beyond the initial command until stopped.
nohup node server.js > "$LOG_FILE" 2>&1 & echo $! > "$PID_FILE"
Use `bash start.sh status` to check it and `bash start.sh stop` when you no longer need the dashboard; avoid running it on shared machines unless you understand local access implications.
A user may not realize from metadata alone that the skill needs Node/bash and includes a local service script.
The registry metadata under-declares provenance and runtime requirements relative to the included runnable Node/bash files. The artifacts themselves are transparent about the scripts, so this is a setup/provenance note rather than a concern.
Source: unknown; Homepage: none; Required binaries: none; Install specifications: No install spec; Code file presence: server.js, setup.sh, start.sh
Review the included scripts before starting the service and prefer trusted installation sources or verified registry entries when available.