ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ZAI Coding Plan Usage

Query Z.ai (智谱) Coding Plan usage and quota limits. Track token consumption, MCP usage, and subscription status. Use when user asks about "智谱用量"、"ZAI usage"、...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 22 · 0 current installs · 0 all-time installs
by@hyizhou
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the script queries Z.ai (open.bigmodel.cn) usage endpoints. However the registry metadata declares no required config paths or env vars while the code explicitly reads ~/.openclaw/.../auth-profiles.json and falls back to ZAI_API_KEY / ZHIPU_API_KEY. That discrepancy between declared requirements and actual behavior is an incoherence.
Instruction Scope
SKILL.md instructs running the included node script and documents the three API endpoints; the script does only GET requests and prints results. The script reads the OpenClaw auth file in the user's home directory to obtain an API key (profiles['zai:default']) and sends it in an Authorization header — this is within the stated purpose but it does access a local config file containing credentials, which the metadata did not declare.
Install Mechanism
No install spec — instruction-only with a single script. Nothing is downloaded or written to disk by an installer step.
Credentials
The script only needs a Z.ai API key (from OpenClaw config or ZAI_API_KEY / ZHIPU_API_KEY). That is proportionate to the task, but the skill registry did not declare these env vars or the config path as requirements, which is an omission users should be aware of because the script will access a local auth file.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system config, and only runs when invoked. It does perform network requests to open.bigmodel.cn using the API key it reads.
What to consider before installing
This skill appears to do what it claims (query Z.ai usage) and its code is small and readable. However: (1) it reads your OpenClaw auth file at ~/.openclaw/agents/main/agent/auth-profiles.json to find profiles['zai:default'] (and falls back to env vars ZAI_API_KEY or ZHIPU_API_KEY) — the skill registry did not declare that config path or env vars, so the metadata is incomplete; (2) the script sends the API key in an Authorization header to open.bigmodel.cn — ensure you trust that endpoint and that the auth file only contains keys you’re willing to expose for this purpose. Before installing, consider either setting a dedicated ZAI_API_KEY environment variable scoped to this skill or inspecting the auth-profiles.json file contents to confirm it doesn’t contain other sensitive keys. If you need higher assurance, run the script locally yourself and inspect its output and network calls.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9779gxm7fe2m9f4ms8fwrfdtn831d2p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Z.ai Coding Plan Usage Query

Query Z.ai (智谱 AI) Coding Plan usage and quota limits.

Usage

Just say:

  • "智谱用量查询"
  • "Check ZAI usage"
  • "coding plan usage"

Script

node ~/.openclaw/workspace/skills/zai-coding-plan-usage/scripts/query-usage.mjs

API Endpoints

APIEndpointDescription
Model usage/api/monitor/usage/model-usageModel call statistics
Tool usage/api/monitor/usage/tool-usageTool call statistics
Quota limit/api/monitor/usage/quota/limitQuota limits

Notes

  • API Key is automatically read from OpenClaw config or environment variables
  • Works only in environments with Z.ai API configured

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…