Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Token Alert
v1.2.0Monitors Clawdbot session token usage and sends alerts at 25%, 50%, 75%, 90%, 95%, and 100% thresholds with a dashboard and Telegram notifications.
⭐ 0· 1.6k·1 current·1 all-time
by@r00tid
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is legitimately a token-monitoring/dashboard tool and most files (check.py, dashboard, provider modules) fit that purpose. However, the repo contains multi-provider provider modules (OpenAI/Gemini/Anthropic) and Telegram/auto-export features while the skill metadata declares no required environment variables or primary credential — a mismatch. Those provider/notification features normally require API keys or tokens (or at least user-provided config), but the skill does not advertise required secrets up front.
Instruction Scope
SKILL.md instructs running Python scripts (check.py, show_dashboard.py) which is expected, but also suggests optional steps that expand scope: running setup-notifications.sh (installs notification tooling), starting a proxy-server.py (CORS proxy), and enabling auto-checks in HEARTBEAT.md. The auto-export behavior (triggers exportMemory() / summarize()) is described but the destination/mechanism of the export is not clearly documented — that could cause sensitive session data to be written or transmitted. The dashboard includes a service worker and push-notification code (client-side), and the repo includes scripts that can install system utilities and a LaunchAgent plist; these broaden the runtime actions beyond simple local token-checking.
Install Mechanism
There is no formal install spec (lowest-risk), but the project contains helper scripts that request installing third-party tooling (e.g., ImageMagick via brew, terminal-notifier via setup script) and a proxy server and launch scripts. Nothing in the manifest downloads arbitrary code at install time, but the optional setup scripts will install utilities and could create persistent agents if run.
Credentials
The codebase contains providers for Anthropic/OpenAI/Gemini and mentions Telegram alerts, which ordinarily require API keys or tokens. Yet requires.env is empty and no primary credential is declared. This asymmetry means API keys are likely collected via interactive setup or saved to config files (e.g., ~/.clawdbot/token-alert.json) rather than environment variables — acceptable but it increases risk if keys are stored insecurely. The skill also references interacting with the local Clawdbot gateway/session_status; that is coherent, but any code that can accept provider keys could also read/write them to disk or send them over the network unless audited.
Persistence & Privilege
The skill is not marked always:true and does not demand autonomous elevation. However, documentation and scripts mention optional persistent setups (macOS notifications, com.clawdbot.token-alert.plist LaunchAgent, periodic HEARTBEAT entries, proxy-server), so users can grant it persistent presence manually. That optional persistence combined with provider keys or auto-export increases blast radius if misused, but persistence is not forced by the skill metadata itself.
What to consider before installing
What to check before installing/use:
1) Review where API keys and tokens are stored:
- Inspect scripts/providers/*.py and scripts/config.py to see whether provider API keys (Anthropic/OpenAI/Gemini) or Telegram tokens are read, and how they are persisted (plain file, plaintext JSON under ~/.clawdbot, localStorage, etc.). If keys are stored in files, ensure file permissions are restrictive or prefer env vars or encrypted storage.
2) Inspect auto-export and export/summarize logic:
- Find exportMemory()/summarize() implementations (JS/Python). Confirm what 'export' does and where it writes or sends data (local file vs remote endpoint). Do not enable auto-export until you can verify no sensitive chat content is transmitted to unknown endpoints.
3) Audit network endpoints and proxy behavior:
- Open scripts/proxy-server.py and dashboard/service-worker code. Ensure the proxy only forwards to your local Clawdbot/Gateway and does not proxy to external hosts or include any hard-coded remote URLs that would exfiltrate data.
4) Check installation scripts for system changes:
- Look through setup-notifications.sh, notify.sh, start-dashboard.sh, and any plist/LaunchAgent files. These may install utilities (terminal-notifier, ImageMagick) or register a persistent LaunchAgent/cron job — only run them after you understand what they do.
5) Run in a controlled environment first:
- Test the dashboard and check.py manually in an isolated VM or container. Use mock data mode (dashboard mentions USE_MOCK_DATA) to exercise behavior without connecting to real sessions.
6) Don’t add to automated HEARTBEAT or enable persistent agents until vetted:
- The SKILL.md suggests adding checks to HEARTBEAT and running periodic scripts; only automate this after confirming no sensitive data is leaked.
7) If you plan to use Telegram/web push or provider integrations:
- Prefer giving API keys at runtime or via secure config; check whether the code sends keys anywhere. For web push, note the repo says a server-side Web Push (VAPID) is not implemented; client-only notifications likely require manual consent.
If you want, I can:
- Summarize specific lines to inspect (e.g., search for 'requests.post', 'urllib', 'socket', 'fetch(', 'exportMemory', 'summarize', 'open(', 'write', 'subprocess') across the repo.
- Highlight any suspicious code snippets if you paste the contents of scripts/check.py, proxy-server.py, setup-notifications.sh, and providers/*.py.Like a lobster shell, security has layers — review code before you run it.
latestvk97dcx5jzpxgdb5rxwwyxnaw3d801e0y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.