ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

技能使用记录与统计(Nicki)

v1.1.0

技能调用记录与统计分析。自动追踪所有技能调用,无需用户操作。支持日/周/月/季/年维度的技能使用统计报告。安装后直接使用,无需配置。

0· 109·0 current·0 all-time
by@superuser-fank

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for superuser-fank/skill-usage-tracker-nicki.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "技能使用记录与统计(Nicki)" (superuser-fank/skill-usage-tracker-nicki) from ClawHub.
Skill page: https://clawhub.ai/superuser-fank/skill-usage-tracker-nicki
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-usage-tracker-nicki

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-usage-tracker-nicki
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims automatic tracking of all skill invocations (via a HEARTBEAT every 2 hours) and active insertion of notifications into replies. The shipped artifacts are only log.py (append a record) and query.py (generate reports) operating on a local usage.json. There is no code to scan session history, run periodic heartbeats, or hook into agent responses. That mismatch means the skill does not actually provide the advertised automatic capability.
!
Instruction Scope
SKILL.md instructs automatic session-history scanning and telling users 'just now you called XXX' at the end of replies — actions that would require agent hooks and access to session logs. The provided scripts neither inspect session state nor modify agent replies; they only accept explicit CLI arguments. The instructions are therefore overly broad and grant the skill capabilities it doesn't implement.
Install Mechanism
No install spec or external downloads; code is included in the skill bundle and performs only local file I/O. This is a low-risk installation mechanism.
Credentials
No environment variables, no credentials, and no network access in the code. The scripts only read/write a local usage.json in the skill directory — this is proportionate to a local usage-logging utility. Note: if the advertised heartbeat/session scanning were implemented, it would likely require access to session/history data (sensitive) and possibly additional privileges.
Persistence & Privilege
always is false; the skill does not request persistent system-wide privileges or modify other skills. It stores data in its own data/usage.json file only.
What to consider before installing
This skill is inconsistent: it promises automatic background tracking and reply-injection but only ships two simple CLI scripts that manually log to and query a local JSON file. Before installing, decide whether you trust a skill that would need to access session histories or modify agent replies. If you only want manual logging/reporting, this bundle is harmless — it stores records locally and has no network calls. If you expect automatic behavior, ask the author for the missing integration code (heartbeat scheduler, session-history reader, and reply hook) and review any such code carefully for what session data it reads and whether it transmits data off the machine. Also: confirm how the agent is expected to invoke log.py automatically (agent hooks/permissions) and audit that integration path for privacy risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0cv5v5cg3nsrb9xmnb1qds83tzv7
109downloads
0stars
2versions
Updated 4w ago
v1.1.0
MIT-0
@superuser-fank
latest
Download

技能使用记录与统计

功能

  • 自动记录:每次调用技能时自动记录,无需用户操作
  • 手动汇报:主动告知用户"刚才调用了 XXX 技能"
  • 统计报告:支持日/周/月/季/年维度生成使用报告

文件结构

skill-usage-tracker/
├── SKILL.md
├── scripts/
│   ├── log.py      # 记录调用
│   └── query.py    # 查询统计
└── data/
    └── usage.json  # 调用记录存储

记录方式

自动记录(主要):通过 HEARTBEAT 每2小时扫描 session 历史自动补录 主动汇报:每次调用技能后在回复末尾告知用户

查询统计

当用户请求报告时调用 query.py:

python3 ~/.openclaw/workspace/skills/skill-usage-tracker/scripts/query.py <维度>

维度选项:

维度说明
今天
本周一至今(默认)
本月
本季度
本年

输出格式

技能使用报告 - 本周(03月24日 至 03月29日)

总调用次数:15次

⏱ 滚动窗口(5小时)
━━━━━━━━━━━━━━━━━━━
🟢 minimax-token-plan
   8次 · 53.3%
🟡 camoufox
   5次 · 33.3%
🔵 feishu-task
   2次 · 13.3%

数据结构

usage.json:

{
  "records": [
    {
      "skill": "minimax-token-plan",
      "called_at": "2026-03-29T16:30:00+00:00",
      "note": ""
    }
  ]
}

Comments

Loading comments...