Analytix402
Monitor and control your AI agent’s API and LLM usage with real-time spend tracking, budget limits, duplicate detection, and alerts.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 455 · 3 current installs · 3 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises automatic tracking of every outbound API call, LLM token usage across providers, duplicate-purchase detection, and heartbeats. But the published package is instruction-only with no code, no install hooks, and the registry metadata lists no required environment variables or permissions. A monitoring/control capability of this form would legitimately need either agent-level hooks, additional declared permissions, or clear instructions for how the agent should forward telemetry; none are present.
Instruction Scope
SKILL.md instructs the agent to use ANALYTIX402_API_KEY and mentions a base URL and tools (analytix402_spend_report, analytix402_set_budget, etc.), but provides no concrete API endpoints, request schemas, or guidance for what data is collected/sent. It also claims to 'track all outbound API calls' and 'monitor LLM token usage' without explaining how to capture those events. This vagueness grants broad discretion to the agent and could result in unexpected data exfiltration if implemented later.
Install Mechanism
No install spec and no code files — lowest install-surface risk from static analysis perspective. However, because there is no implementation included, there is also no way to verify what would actually run. The lack of an install makes the skill easier to audit but also means the SKILL.md alone determines behavior; static scanner had nothing to analyze.
Credentials
SKILL.md lists ANALYTIX402_API_KEY as a required value, but the registry metadata declares no required env vars or primary credential — an explicit mismatch. Additionally, the claimed capability to monitor other providers (OpenAI, Anthropic) would typically require access to those providers' credentials or to the agent's request stream; neither is requested or explained. Requiring an external API key to receive telemetry about potentially sensitive requests is proportionate only if the manifest and privacy/data-handling policies are explicit — they are not.
Persistence & Privilege
always is false and the skill is not force-enabled. The skill can be invoked autonomously (default), which is normal, but combined with the described telemetry/forwarding behavior this increases the blast radius (the agent could autonomously send outgoing request data to analytix402.com). This is not a hard misconfiguration by itself, but it heightens the need to verify what data is sent and to whom.
Scan Findings in Context
[no_findings] expected: The regex-based scanner found nothing because there are no code files (instruction-only). This is expected but means there is no static evidence about what the skill would actually execute; reliance is solely on SKILL.md prose.
What to consider before installing
Do not supply any API keys or enable this skill for production agents until the author clarifies how telemetry is captured and transmitted. Ask the publisher to: (1) provide an implementation or manifest that shows the exact endpoints, schemas, and minimal data fields sent; (2) declare required environment variables in the registry metadata; (3) publish a privacy/security policy and the analytix402.com ownership information; and (4) explain how it hooks into the agent (does it read request payloads, intercept network calls, require provider keys, or expect the agent to forward events?). If you must test, do so with a throwaway agent running in an isolated environment, monitor outbound network traffic to the listed domain, and avoid giving any provider credentials or sensitive payloads. The current package is internally inconsistent and should be treated with caution.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Analytix402
Monitor, control, and optimize your AI agent's API spend and LLM costs in real-time.
Description
Analytix402 gives your OpenClaw agent financial visibility and guardrails. Track every API call, LLM invocation, and x402 payment your agent makes. Set budget limits, detect duplicate purchases, and get alerts before costs spiral.
What it does:
- Tracks all outbound API calls and x402 payments automatically
- Monitors LLM token usage and costs across OpenAI, Anthropic, and other providers
- Enforces daily budget limits and per-call spend caps
- Detects duplicate API purchases to prevent waste
- Sends heartbeats so you know your agent is alive and healthy
- Provides a real-time dashboard at analytix402.com
Configuration
# Required
ANALYTIX402_API_KEY: ax_live_your_key_here
# Optional
ANALYTIX402_AGENT_ID: my-openclaw-agent
ANALYTIX402_BASE_URL: https://analytix402.com
ANALYTIX402_DAILY_BUDGET: 50.00
ANALYTIX402_PER_CALL_LIMIT: 5.00
ANALYTIX402_TRACK_LLM: true
Tools
analytix402_spend_report
Get a summary of your agent's spend — total cost, breakdown by API and LLM provider, and efficiency score.
analytix402_set_budget
Set or update the daily budget limit for this agent session.
analytix402_check_budget
Check remaining budget before making an expensive API call.
analytix402_flag_purchase
Flag a potential duplicate or unnecessary purchase for review.
Tags
monitoring, analytics, budget, x402, payments, observability, cost-tracking
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…