Openrouter Usage
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned for OpenRouter spending tracking, but it does read your OpenRouter API key and OpenClaw session logs, so install it only if you trust that access.
This looks like a coherent spending-reporting skill. Before installing, confirm you trust the source because it can read your OpenRouter API key and OpenClaw session logs, and the installer creates a local command plus an optional OpenClaw workspace skill link.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use an existing OpenRouter credential to query account credit information without the user manually pasting a key.
The script auto-discovers an OpenRouter API key from either an environment variable or local OpenClaw agent auth files.
key = os.environ.get("OPENROUTER_API_KEY") ... auth_files = sorted(openclaw_dir.glob("agents/*/agent/auth.json")) ... return auth["openrouter"]["key"]Use it only if you are comfortable with the skill reading your OpenRouter key; set OPENROUTER_API_KEY explicitly if you want to control which key is used.
Session logs may contain private work history, model names, token counts, and cost information; the shown code parses them locally for usage data.
The skill reads persistent OpenClaw session logs across agents to compute local usage and cost breakdowns.
Session parsing is fully local — reads `~/.openclaw/agents/*/sessions/*.jsonl`.
Avoid sharing generated reports if model names, usage patterns, or spending details are sensitive; use date and agent filters where appropriate.
Running the installer creates a persistent CLI wrapper and may link the repository as a workspace skill.
The documented installation path asks the user to clone a GitHub repository and run a local installer script.
git clone https://github.com/ZarpAIbot/openrouter-usage cd openrouter-usage ./install.sh
Review the repository and installer before running ./install.sh, especially because the registry metadata lists the source as unknown and no homepage.