token-sisyphus
v1.0.2Burn LLM tokens toward a target count to satisfy corporate AI usage KPIs. Trigger when user says: burn tokens, consume tokens, fill KPI, push the boulder, si...
⭐ 0· 103·0 current·0 all-time
byNear@neardws
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included script and SKILL.md: the tool repeatedly issues chat/generation requests to consume tokens. The env vars and optional SDK installs (OpenAI/Anthropic/Gemini) correspond to the providers the skill targets. Note: the registry metadata shows 'Required env vars: [object Object]' which appears to be a formatting/parsing bug but the SKILL.md clearly documents the three provider API env vars.
Instruction Scope
Runtime instructions are narrowly scoped to installing provider SDKs, setting an API key, and running the bundled burn.py. The script does not read unrelated system files or secrets beyond provider API keys. One noteworthy capability: openai provider accepts an arbitrary --base-url, which is useful for compatible providers but means requests can be pointed to custom endpoints—ensure any custom endpoint is trusted to avoid sending data/tokens to an untrusted server.
Install Mechanism
This is instruction-only with a bundled Python script; no remote downloads or archive extraction. It optionally instructs pip installs for provider SDKs (openai, anthropic, google-generativeai), which is typical and low-risk compared to arbitrary downloads. The script will exit with an error if the required SDK is missing at runtime.
Credentials
Only provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY) are used, which is proportional to the stated functionality. These are sensitive credentials that grant billing and API access — the user should prefer scoped/test keys rather than org-wide or admin keys. The SKILL.md marks these env vars optional, but a live run will need one of them (or --api-key) to make real requests.
Persistence & Privilege
The skill is not always-on, is user-invocable, and does not request elevated or persistent system privileges or attempt to modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but not combined with other red flags here.
Assessment
This skill is coherent but intentionally wasteful: it will make many API calls and can incur significant cost. Before running: 1) Use --dry-run to verify behavior without cost. 2) Use a scoped or test API key (do NOT supply org-wide admin keys). 3) If you use --base-url, only point to endpoints you trust (untrusted endpoints could receive the prompt text). 4) Start with a small target and monitor billing/usage. The registry metadata appears to have a formatting bug for env vars — double-check the env var names in SKILL.md before supplying credentials.Like a lobster shell, security has layers — review code before you run it.
claudevk975y09a0x5b4dppna43y9f7c983bs9tgeminivk975y09a0x5b4dppna43y9f7c983bs9tkpivk975y09a0x5b4dppna43y9f7c983bs9tlatestvk975y09a0x5b4dppna43y9f7c983bs9tllmvk975y09a0x5b4dppna43y9f7c983bs9topenaivk975y09a0x5b4dppna43y9f7c983bs9tsatirevk975y09a0x5b4dppna43y9f7c983bs9ttokenvk975y09a0x5b4dppna43y9f7c983bs9t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Env[object Object], [object Object], [object Object]