TokenLens Token Value Optimizer
v1.0.3TokenLens Token Value Optimization Engine — Maximize value per token with smart optimization, cost tracking, and efficiency recommendations. Free version wit...
⭐ 0· 110·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (token value optimization) matches the included scripts (token_value_tracker.py, context_optimizer.py, model_router.py). Scripts read and write only under ~/.openclaw/workspace/memory/tokenlens/, and there are no required credentials or network calls. Minor mismatch: SKILL.md and README mention script names like optimization_manager.py and value_reporter.py which do not exist in the manifest — implementation uses different filenames (context_optimizer.py, model_router.py). This is likely a documentation drift but worth noting.
Instruction Scope
Runtime instructions explicitly tell the user/agent to run local scripts and a shell wrapper (optimize.sh). The Python scripts operate on local data only and do not import subprocess, sockets, or networking libraries. They do reference OpenClaw CLI commands in recommendation text (e.g., 'openclaw config set', 'openclaw session compact') but those are presented as commands for the user to run, not executed by the Python code. The SKILL.md security metadata claims 'no code execution' and 'no subprocess', which is slightly misleading because the skill includes a bash CLI (optimize.sh) that invokes the Python scripts when run; however this is execution of the skill's own code, not hidden/external execution. Overall the instruction scope stays within the stated purpose, but documentation vs. implementation claims are inconsistent.
Install Mechanism
No install spec and no remote downloads — this is an instruction-only skill with local scripts included in the package. That is low-risk from an install perspective.
Credentials
The skill requests no environment variables or external credentials. It stores and reads data under the user's OpenClaw workspace (~/.openclaw/workspace/memory/tokenlens/), which is consistent with its function. Recommendations contain example commands that would change OpenClaw configuration if executed by the user (e.g., 'openclaw config set ...'), so users should only run those knowingly.
Persistence & Privilege
The skill does not request 'always: true' or other elevated privileges. It creates and persists token usage and config files under its own directory in the OpenClaw workspace, which is expected behavior for a tracking/optimizer tool.
Assessment
This skill appears to do what it says: local token tracking and optimization recommendations with no network access or credential requests. Before installing:
- Review the included scripts (token_value_tracker.py, context_optimizer.py, model_router.py, optimize.sh) to confirm you are comfortable with files being written to ~/.openclaw/workspace/memory/tokenlens/ (token_usage.json, config.json).
- Note the small documentation inconsistencies (some referenced script names in SKILL.md/README/SECURITY.md don't match files in the package) and the security claims that say 'no code execution' while providing a shell wrapper (optimize.sh) that launches the included Python scripts — this is not necessarily malicious but is a mismatch you may want clarified by the author.
- If you are concerned, run the skill in a sandbox or inspect/backup your OpenClaw workspace before running any 'optimize --apply' or OpenClaw config commands the tool suggests.
- Only execute OpenClaw CLI commands from the recommendations if you understand their effect (they modify agent configuration). If you want higher assurance, ask the maintainer to confirm the exact behavior and to correct the doc mismatches.Like a lobster shell, security has layers — review code before you run it.
latestvk9739swd3v33h7hf7z8q39sqsd84get7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.