Token Budget Monitor
Track and control token consumption across OpenClaw cron jobs
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 648 · 3 current installs · 3 all-time installs
by@aviclaw
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description (token-budget monitoring for cron jobs) align with the files and code: track-usage.js implements per-job tracking, daily limits, alerts, and model recommendations. Required resources (no env vars, no external binaries) are proportionate to the stated functionality.
Instruction Scope
Runtime instructions stay within scope (run the CLI commands and add a call after LLM calls). One minor concern: the Integration example recommends building a shell command via string concatenation passed to exec (exec('node /path/to/track-usage.js track <job-name> ' + usage.input_tokens + ' ' + usage.output_tokens + ' ' + model)). That pattern can lead to shell-injection if job or model values are attacker-controlled. Otherwise the SKILL.md does not instruct reading unrelated files or sending data externally.
Install Mechanism
Instruction-only skill with no install steps and no downloads — lowest-risk install model. There are local code files but nothing is fetched from external URLs.
Credentials
No environment variables, no secrets, and only minimal use of HOME (to choose output dir) — consistent with the purpose. The code reads a local config.json in the skill directory; no unexpected credential or config paths are requested.
Persistence & Privilege
Does not request permanent/always-on privileges, does not modify other skills or system-wide config. It writes usage data to ~/.openclaw/workspace/outputs/token-usage.json which is a limited persistence scope and expected for this tool.
Assessment
This skill appears to do what it says: it reads config.json in the skill folder and writes a local usage file to ~/.openclaw/workspace/outputs/token-usage.json. It asks for no credentials and makes no network calls. Before installing: 1) Review and, if desired, change the OUTPUT_DIR path to a location you control and ensure appropriate file permissions. 2) Do not paste untrusted values into the integration command as shown; avoid building shell commands by concatenation. Instead invoke the script with a safe argument array (child_process.spawn or execFile) or validate/sanitize job and model names to prevent command injection. 3) If you plan to run this under different users or CI, verify how HOME is set (code falls back to /home/ubuntu). 4) Run it in a sandbox or test environment first to confirm it writes only the expected JSON file. Overall this skill is internally consistent and low-risk for typical usage.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
token-budget-monitor
Track and control token consumption across OpenClaw cron jobs, fallback chains, and sessions.
Installation
openclaw skills install aviclaw/token-budget-monitor
Usage
# Check current usage
node track-usage.js status
# Check budget for a specific job
node track-usage.js check daily-tweet
# Alert if over budget
node track-usage.js alert
# Get model recommendations
node track-usage.js recommend
Integration
Add to cron jobs to track usage:
// After LLM call completes
const usage = result.usage;
exec('node /path/to/track-usage.js track <job-name> ' +
usage.input_tokens + ' ' + usage.output_tokens + ' ' + model);
Configuration
Edit config.json:
{
"dailyLimit": 100000,
"jobLimits": {
"daily-tweet": 5000,
"rss-brief": 15000
},
"alertThreshold": 0.8,
"freeModels": [
"nvidia/moonshotai/kimi-k2.5",
"google/gemini-2.0-flash-exp"
]
}
Features
- Per-job token tracking
- Daily budget limits
- Per-job custom limits
- Alert when threshold exceeded
- Recommend free model alternatives
Author
- GitHub: @aviclaw
License
MIT
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…