ClawHub

Token Manager

v1.2.0

Universal LLM Token Manager - Monitor usage and provide cost-saving recommendations for Kimi, OpenAI, Anthropic, Gemini, and local models. Features scheduled monitoring, cross-session tracking, and proactive alerts.

6· 2.6k·24 current·25 all-time
byFelix@kelegele
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The code (manager/scheduler/session-tracker) implements token estimation, balance checks, scheduled alerts, and cross-session analytics as described. Network calls target LLM provider APIs (moonshot/OpenAI/Anthropic/Gemini/localhost) which is expected for a token manager. Pricing and provider tables in code match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read API keys from environment variables, store data under a local .data/ directory, register cron jobs, and edit openclaw.json to add tools. The instructions do not attempt to read unrelated system files or exfiltrate data. Note: SKILL.md and the scripts rely on environment variables (MOONSHOT_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) even though the registry metadata declared no required env vars—this mismatch should be corrected/confirmed.
Install Mechanism
There is no install spec (no remote downloads). The package is provided as local JS scripts; no external install or archive extraction occurs. This minimizes install-time risk.
Credentials
The tool needs provider API keys to query balances/estimate tokens; those credentials are proportionate to its function. However, registry metadata lists no required env vars while SKILL.md and scheduler/manager scripts expect MOONSHOT_API_KEY (and optionally OPENAI_API_KEY / ANTHROPIC_API_KEY). This metadata omission is an inconsistency to fix before trusting automated runs.
Persistence & Privilege
The skill persists data only under its local .data/ directory (config.json, sessions, alerts). It does not request elevated system privileges or attempt to modify other skills or system-wide agent settings. always is false and autonomous invocation is enabled (the platform default).
Assessment
This skill appears to do what it says: it stores usage data locally, queries provider APIs with your API keys, and provides alerts/reports. Before installing: 1) Confirm and set the expected env vars (MOONSHOT_API_KEY, optionally OPENAI_API_KEY and ANTHROPIC_API_KEY) — the registry metadata currently omits them. 2) Review the scripts (they are included) and verify the provider endpoints and pricing entries match your expectations. 3) When registering cron jobs or editing openclaw.json, ensure you use the correct absolute path and do not run the scripts as root. 4) Understand the scripts will make outbound HTTPS/HTTP requests to the configured provider hosts using whatever API key you supply — only provide keys you trust to be used in this context. 5) If you do not trust the source, run the code in an isolated environment (container or VM) or manually audit/modify the code before enabling automated cron/tool registration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cbayfgeqj1xp0d3ynyqkfy580y45s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments