ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Token Monitor

v1.2.0

OpenClaw Token 实时监控面板。支持:(1) SQLite 持久化存储历史数据 (2) 实时监控当前 Token 消耗(增量曲线) (3) 历史视图查看任意一天的消耗 (4) 按日/时会话汇总 (5) 人民币费用估算(MiniMax 官方定价) (6) 滚轮缩放 X 轴 (7) 图表采样防卡顿。触发场...

0· 111·0 current·0 all-time
byOldYoung@oldyoungcn

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for oldyoungcn/openclaw-token-monitor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Token Monitor" (oldyoungcn/openclaw-token-monitor) from ClawHub.
Skill page: https://clawhub.ai/oldyoungcn/openclaw-token-monitor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-token-monitor

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-token-monitor
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the observed behavior: the server polls the OpenClaw CLI (openclaw sessions --active --json), computes rates/costs and persists snapshots to a local SQLite DB. Calling the OpenClaw CLI and writing a DB are expected for a token monitor. One oddity: the code requires sql.js using an absolute path (/tmp/node_modules/sql.js) rather than a normal package import; that's inconsistent with package.json (no dependencies declared) and the SKILL.md's claim of 'sql.js (WASM) no local compile needed'.
!
Instruction Scope
SKILL.md instructs running the included Node script which starts an HTTP server (port 3000) and polls the OpenClaw CLI every 3s. The server writes session_key and per-session details into a DB file under workspace/data/token_history.db. Persisting session_key and other session metadata is relevant to monitoring, but it is sensitive: if the server binds to non-local interfaces (the docs even show a LAN IP) or is left unprotected, those keys and usage data can be exposed. The instructions do not require or recommend restricting the listener to localhost or adding authentication.
Install Mechanism
No install spec (instruction-only plus included code), which is lower risk than downloading arbitrary code. However, the code requires initSqlJs from an absolute path (/tmp/node_modules/sql.js) rather than a module installed relative to the package — this is unusual and may indicate the script expects a preinstalled runtime artifact in /tmp, or will fail. There is no evidence of remote downloads in the provided files.
!
Credentials
The skill requests no env vars, which is reasonable. But it relies on executing the 'openclaw' CLI and then stores session_key values (and other session fields) to disk. Storing raw session keys/tokens is directly related to its purpose but is sensitive: without access controls the DB is a credential/secret store. The number of required credentials is zero and proportional, but the handling and storage of session keys requires caution.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It persists its own DB under workspace/data/token_history.db which is normal for this utility. It starts an HTTP server that may run indefinitely while active; that's appropriate for a monitoring dashboard but increases exposure if not bound/restricted.
What to consider before installing
This skill appears to implement a local token-usage dashboard by calling the 'openclaw' CLI and saving snapshots to a local SQLite file. Before installing, consider: (1) The Node script requires '/tmp/node_modules/sql.js' via absolute path — ask the author why and ensure the runtime provides sql.js or modify the require to use a normal dependency. (2) The monitor persists session_key and per-session details in workspace/data/token_history.db — these can contain sensitive tokens/IDs; inspect that file and rotate any secrets if exposed. (3) The server listens on port 3000 and SKILL.md references a LAN IP; run it bound to localhost (or behind an authenticated proxy) and/or firewall the port if you don't want LAN access. (4) Verify the 'openclaw' CLI is legitimate and does not itself leak credentials. (5) Because part of the source was truncated in the package listing, review the full token-monitor.js for any outbound network calls or hidden endpoints before running. If you cannot audit or fix the absolute sql.js path and restrict the server, run the tool inside an isolated container/VM and limit filesystem/network exposure.
scripts/token-monitor.js:101
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978q1qp3gfjnes4bkrz96yvb9851s70
111downloads
0stars
4versions
Updated 1w ago
v1.2.0
MIT-0
OldYoung@oldyoungcn
latest
Download

OpenClaw Token 监控中心

快速开始

# 启动监控服务
node skills/token-monitor/scripts/token-monitor.js

# 访问面板
open http://192.168.50.210:3000

功能一览

模块说明
📊 实时曲线每 3 秒轮询,蓝线显示每次轮询的 Token 增量,橙线显示速率 (tokens/s)
📈 历史视图点 ← → 或日期下拉,查看任意一天的完整消耗曲线
🏺 SQLite 持久化数据写入 /workspace/data/token_history.db,刷新页面不丢失
💰 人民币估算基于 MiniMax 官方定价(输入 ¥2.1/百万,输出 ¥8.4/百万)
📋 会话详情表每会话 Input/Output/Total Tokens、费用、占比条
🍩 环形图各会话 Token 消耗占比分布
🔍 滚轮缩放鼠标在图表上滚轮可放大/缩小 X 轴
📷 导出图片点击"📷 导出图表"下载 PNG

数据存储

  • 数据库: data/token_history.db(SQLite)
  • : snapshots(每次轮询各会话明细)、rate_history(每次轮询速率)、daily_summary(每日汇总)
  • 轮询间隔: 3 秒(可在页面顶部调整)
  • 保留策略: 永久保留,按日期查询

技术细节

  • 服务器: token-monitor.js(Node.js,端口 3000)
  • 前端: token-monitor.html(Chart.js + chartjs-plugin-zoom,纯前端无需构建)
  • 数据库: sql.js(WASM 版本,无需本地 SQLite 编译)
  • API: /data(实时快照)、/api/daily?date=YYYY-MM-DD(历史数据)、/api/dates(可用日期列表)
  • 依赖: openclaw sessions --active --json(数据来源)

目录结构

skills/token-monitor/
├── SKILL.md          # 本文件
├── package.json
└── scripts/
    ├── token-monitor.js   # 服务器(轮询 + SQLite + API)
    └── token-monitor.html # 前端仪表盘

Comments

Loading comments...