Token Tracker

What to consider before installing: - Privacy: the hook reads ~/.openclaw/sessions/*.json and logs event.context to stdout; those logs (gateway logs) can contain conversation text and other sensitive metadata. If you run this skill, protect gateway logs and review what session status files contain. - External delivery: cron-config uses Telegram as a delivery channel. Ensure any automated report/alert destination is configured by you and that tokens/credentials for Telegram are not supplied to an untrusted skill. If you don't want automatic external delivery, do not install the cron jobs or set delivery to a safe internal channel. - Review and test in isolation: run the skill in a non-production user/account first to confirm it only records the intended fields. Inspect usage_records.json and config.json for stored data and remove/secure them as needed. - Code quality: the Node hook contains a coding bug (uses 'await import("fs")' inside a non-async function), and the hook prints full context — consider fixing the code to only extract token counts and model names and to avoid logging entire context. The Python script appears to work but uses a simplified timezone handling and will create files under ~/.openclaw/workspace/skills/token-tracker. - Trust and provenance: the skill has no homepage and an unknown source. If you do not trust the author, prefer manual inspection, run in an isolated environment, or avoid enabling the hook/cron features. - Operational: HOOK.md indicates Node is required. If you install the hook, ensure Node runs with expected module semantics (ESM) and that OpenClaw's hook registry will not forward sensitive data elsewhere.