ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LLM Cost Tracker

Track, analyze, and optimize LLM API spending across providers (OpenAI, Anthropic, Google, DeepSeek, etc.). Use when the user asks about API costs, token usa...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 101 · 0 current installs · 0 all-time installs
byJohn Wang@Johnnywang2001
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (LLM cost tracking and optimization) align with the included Python script which reads local usage files, queries provider usage APIs (OpenAI via OPENAI_API_KEY) and calculates costs. However the registry metadata claims no required environment variables or credentials while SKILL.md and the script require provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, DEEPSEEK_API_KEY). This mismatch is unexplained and reduces trust in the metadata.
Instruction Scope
SKILL.md instructs running the bundled script and editing ~/.openclaw/cost-tracker.json, which the script indeed reads/writes. The instructions do not ask for unrelated files. The script performs network calls to provider APIs (expected), writes/reads files under ~/.openclaw (expected), and loads local provider_*.json usage files. The SKILL.md and registry fail to explicitly declare the environment variables the runtime code checks, and the SKILL.md references alert channels (telegram, discord) but the visible script portion does not show how alerts are delivered — the file is truncated, so the alerting/notification behavior must be reviewed before trusting it.
Install Mechanism
No install spec or downloads are present; this is a simple Python script included in the skill bundle. No external installers or archive extraction are performed by the registry metadata. Risk from install mechanism is low, but the code will be written to disk when the skill is installed (already present in the bundle).
!
Credentials
The tool legitimately needs provider API keys to query usage, which is proportionate to its function. However the skill's declared requirements list no required environment variables or primary credential while both SKILL.md and the script expect OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, and DEEPSEEK_API_KEY. This inconsistency is suspicious: the skill will access secrets (API keys) but the registry metadata does not declare them. Also the SKILL.md mentions alert channels (telegram/discord) that commonly require tokens — those tokens are not documented in metadata either. Verify which credentials the skill will actually use and why they were omitted from metadata.
Persistence & Privilege
always:false (normal). The script creates and writes config and usage files under ~/.openclaw (CONFIG_PATH, DATA_PATH) and logs local usage; this is expected for a cost tracker and does not modify other skills or system-wide settings. No elevated privileges or permanent platform-wide overrides are requested in the visible code.
What to consider before installing
This package mostly looks like a normal local cost-tracker, but there are important inconsistencies and an incomplete file to review before trusting it: - Metadata mismatch: the registry says no required env vars, yet the SKILL.md and script read provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, DEEPSEEK_API_KEY). Don't supply API keys until you confirm the code's behavior. - Files written/read: the script will create ~/.openclaw/cost-tracker.json and a ~/.openclaw/cost-data directory and write/read provider_*.json files. Expect local persistence of usage data. If that's unwanted, run the script in a controlled environment or change the paths before use. - Alerts and external endpoints: SKILL.md mentions alert channels (telegram/discord) but the visible code is truncated and does not show how alerts are sent. Inspect the rest of scripts/cost_tracker.py for any networking code that posts to third-party endpoints, and for any tokens required for alerts. - Network access: the script performs outgoing HTTPS requests to provider APIs. Only provide API keys for accounts you trust to be accessed by this tool, and consider using read-only/billing-scoped credentials if available. - To be safer: review the entire scripts/cost_tracker.py (the file appears truncated in the bundle), confirm there are no hard-coded remote endpoints beyond provider APIs, and run the script in a sandbox or isolated environment first. If you plan to use alerts, verify exactly which alert tokens are required and whether they are stored locally. If anything is unclear, treat the metadata mismatch as a red flag and request an updated manifest that accurately lists required env vars and alerting behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977m7th7vwd1wt4y1q55hcmv182mtk2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

API Cost Tracker

Monitor and optimize your LLM API spending directly from your agent.

Quick Start

Run cost analysis:

python3 scripts/cost_tracker.py --summary

Commands

Check Current Spend

python3 scripts/cost_tracker.py --provider openai --period today
python3 scripts/cost_tracker.py --provider anthropic --period week
python3 scripts/cost_tracker.py --all --period month

Set Budget Alert

python3 scripts/cost_tracker.py --set-budget 100 --period month --alert telegram

Cost Breakdown by Model

python3 scripts/cost_tracker.py --breakdown model --period week

Optimization Recommendations

python3 scripts/cost_tracker.py --optimize

This analyzes usage patterns and recommends:

  • Model downgrades for simple tasks (e.g., use Haiku instead of Opus for classification)
  • Caching opportunities (repeated similar prompts)
  • Batch processing windows (off-peak pricing where available)
  • Context window optimization (trim unnecessary context)

Supported Providers

ProviderMethodSetup
OpenAIUsage APIOPENAI_API_KEY env var
AnthropicUsage APIANTHROPIC_API_KEY env var
Google AIBilling APIGOOGLE_API_KEY env var
DeepSeekUsage APIDEEPSEEK_API_KEY env var

Budget Alerts

Configure in ~/.openclaw/cost-tracker.json:

{
  "budgets": {
    "daily": 10,
    "weekly": 50,
    "monthly": 200
  },
  "alertChannels": ["telegram", "discord"],
  "alertThresholds": [50, 75, 90, 100]
}

Alerts fire at each threshold percentage. At 100%, optionally pause non-critical agent tasks.

Output Format

Reports generate as markdown tables suitable for any messaging surface:

Provider    | Model              | Tokens    | Cost
------------|--------------------|-----------|---------
Anthropic   | claude-opus-4-6   | 2.1M      | $63.00
Anthropic   | claude-sonnet-4-6 | 5.4M      | $16.20
OpenAI      | gpt-4o            | 1.8M      | $9.00
            | TOTAL              |           | $88.20

Advanced: Cost Optimization Patterns

See references/optimization-guide.md for detailed strategies on reducing API spend by 30-60% without sacrificing quality.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…