ClawHub

glm-plan-usage

v1.0.1

查询 GLM 编码套餐使用统计,包括配额、模型使用和 MCP 工具使用情况 | Query GLM coding plan usage statistics, including quota, model usage, and MCP tool usage

0· 714·1 current·1 all-time
by@orientluna
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill name/description (query GLM coding plan usage) matches the provided script and docs. The included script queries quota/model/tool endpoints on the GLM monitoring API and formats the result; those operations are appropriate for the stated purpose.
Instruction Scope
Runtime instructions and the script are focused on reading ~/.openclaw/openclaw.json to detect a provider, extracting an API key, and calling three monitoring endpoints on open.bigmodel.cn. The script does not attempt to exfiltrate data to unrelated endpoints or read arbitrary system files, but it will access the user's OpenClaw config (which may contain multiple provider API keys).
Install Mechanism
No install spec is provided (instruction-only skill plus a bash script). Installation is typical (copy files into ~/.openclaw/skills and make script executable). No remote downloads or archives are performed by the skill itself.
!
Credentials
Registry metadata declares no required credentials, but the script expects and reads an API key from ~/.openclaw/openclaw.json and uses it in Authorization headers when calling the monitoring API. This is a meaningful mismatch: the skill requires access to a secret stored in the user's config, and that secret will be sent to open.bigmodel.cn. The script also reads the HOME environment (for the config path) and an optional OPENCLAW_LANGUAGE env var; those are reasonable but not declared.
Persistence & Privilege
The skill is user-invocable and not always-enabled. It does not request elevated OS privileges, does not modify other skills or system-wide configuration, and does not persist new credentials. Installing simply places files under the user's ~/.openclaw/skills folder.
What to consider before installing
This skill largely does what it claims, but review and be aware of two issues before installing: - The script reads your OpenClaw config (~/.openclaw/openclaw.json) and extracts an API key for the detected provider; that key is included in Authorization headers and sent to https://open.bigmodel.cn. Verify you are comfortable with that provider receiving the key and that the key in your config is scoped appropriately. - The registry metadata lists no required credentials, which is inaccurate. Expect the script to require a provider entry with baseUrl containing api/coding/paas/v4 and an apiKey in ~/.openclaw/openclaw.json. - The script hardcodes API_BASE to https://open.bigmodel.cn rather than using the provider's baseUrl value; if you use a proxy/custom endpoint this may not work. Inspect scripts/query-usage.sh yourself (or run it in a safe environment) to confirm behavior before installing. If you have other sensitive API keys in your OpenClaw config, consider removing/isolating them or creating a separate provider entry with a limited-scope key just for monitoring.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z2yjq50sp5vh18bnyczh3d813mbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments