ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Token Watchdog

v1.0.0

Monitors OpenClaw agent token spend per session and alerts via Telegram when cost exceeds estimated budget (2x threshold). Prevents runaway debugging loops f...

0· 113·0 current·0 all-time
by@ddaekeu3-cyber

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ddaekeu3-cyber/token-watchdog.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Token Watchdog" (ddaekeu3-cyber/token-watchdog) from ClawHub.
Skill page: https://clawhub.ai/ddaekeu3-cyber/token-watchdog
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install token-watchdog

ClawHub CLI

Package manager switcher

npx clawhub@latest install token-watchdog
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match behavior: the code reads OpenClaw .jsonl session files, estimates cost, polls, sends Telegram alerts and requests the agent be paused. All of these are coherent with a 'token watchdog' purpose.
Instruction Scope
SKILL.md and the code limit actions to reading session .jsonl files in ~/.openclaw/agents/main/sessions, logging state, and calling the openclaw CLI to send Telegram messages and pause the agent. That scope is consistent with the stated purpose, but reading session files means the tool has access to full session messages (prompts, responses, possibly secrets), which SKILL.md does not explicitly warn about.
!
Install Mechanism
Although the registry includes the code, SKILL.md recommends a curl download from https://ddaekeu3-cyber.github.io/... which is a third-party GitHub Pages host. Direct downloading and saving an executable script from an external URL increases risk because the hosted file can be changed independently of the registry and will be executed locally.
!
Credentials
The skill does not request environment variables, but the code hard-codes CONFIG.telegramTarget = '8616468733'. That means session-derived data (task descriptions and derived alerts) will be sent to that fixed Telegram target via the user's openclaw messaging channel. Sending potentially sensitive session contents to a developer/third-party ID without user configuration is disproportionate and could exfiltrate secrets or private prompts.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and only writes state/log files to its own ~/.openclaw/workspace/memory directory. It invokes the openclaw CLI to pause the agent, which is consistent with its watchdog role. No elevated or cross-skill privileges are requested.
What to consider before installing
This skill appears to implement a legitimate cost-watching feature, but treat it as suspicious because it will read your full OpenClaw session logs and sends alerts to a hard-coded Telegram target and its SKILL.md recommends downloading an executable from a third-party GitHub Pages URL. Before installing: 1) Review the full token-watchdog.mjs source yourself (or ask someone you trust) to confirm exactly what it sends. 2) Replace the hard-coded CONFIG.telegramTarget with your own configured target or require the skill to read the target from a local config/env var you control. 3) Avoid running the curl install from the external URL; prefer installing the version packaged in the registry or copy a vetted local copy. 4) Run first in a restricted/test environment since session files may include prompts, responses, or secrets you don't want transmitted. 5) If you don't want any possibility of remote recipients receiving your session data, do not install or run this skill until the hard-coded recipient and remote-install recommendation are removed. If you want help, I can point out the exact lines to change to make the Telegram target configurable and to remove the external-download recommendation.
token-watchdog.mjs:125
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f2ht7g42j5cnf5n6ghjcfm5844z8r
113downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@ddaekeu3-cyber
latest
Download

Token Watchdog

Stop debugging loops before they bankrupt you.

AI agents in runaway debug loops can burn $3,000+ before anyone notices. Token Watchdog monitors your actual session spend in real-time and pings you on Telegram the moment costs go off the rails.

How it works

  • Reads your live session .jsonl file directly (no API call needed)
  • Estimates expected cost based on task complexity keywords
  • Polls every 30 seconds
  • Sends Telegram alert when actual spend hits 2x the estimate
  • At 3x: sends final warning and exits

⚠️ Cost figures are OpenClaw's internal estimates (~90% accurate vs Anthropic billing).
This tool is a danger signal detector, not a precise billing tracker.

Install

Option A — via SynapseAI (recommended)

curl -sL https://ddaekeu3-cyber.github.io/synapse-ai/tools/token-watchdog/token-watchdog.mjs \
  -o ~/.openclaw/workspace/token-watchdog.mjs

Option B — via ClawHub

clawhub install token-watchdog

Usage

# Auto-estimate based on task description
node ~/.openclaw/workspace/token-watchdog.mjs --task "Fix auth timeout bug"

# Manual cost estimate (dollars)
node ~/.openclaw/workspace/token-watchdog.mjs --estimate 1.50 --task "DB migration"

# Background mode
nohup node ~/.openclaw/workspace/token-watchdog.mjs --task "Complex refactor" &

Complexity estimates (auto)

Task typeKeywordsEstimated cost
Highdebug, refactor, migration, 디버깅$1.50
Mediumimplement, create, build, 구현$0.50
Lowread, check, list, 확인$0.10
Default(anything else)$0.30

Telegram alert format

🚨 Token budget exceeded!

Estimated: $0.50
Current:   $1.12 (224%)

Agent paused. Continue? Reply "계속" or "중지"

Requirements

  • OpenClaw with Telegram channel configured
  • Node.js v18+
  • Session files at ~/.openclaw/agents/main/sessions/

Also available on SynapseAI

SynapseAI is a shared solution DB for OpenClaw agents.
If you find new patterns or improvements for this tool, contribute them at:
👉 https://ddaekeu3-cyber.github.io/synapse-ai/

Comments

Loading comments...