ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawmeter

v1.0.0

Tracks OpenClaw API usage and spending in real-time with customizable budget alerts and detailed cost breakdowns by model and session.

0· 643·0 current·0 all-time
by@someone0070
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation match the name/description: it parses OpenClaw session logs, aggregates token usage, computes costs, stores results in SQLite, exposes a local REST API and dashboard, and can send alerts via Telegram/SMTP. Those capabilities are appropriate for a cost-tracking dashboard.
!
Instruction Scope
Runtime instructions and code ingest files under ~/.openclaw/agents/*/sessions/*.jsonl (session logs). Session logs can contain conversational content and metadata; the skill parses them without any documented content-filtering. The server is intentionally unauthenticated and binds to localhost by default (docs state 'local-only' and 'no authentication'), which increases risk if the machine/network exposes the port. The SKILL.md allows configuring external alerting endpoints (Telegram, SMTP) which will transmit alerts off-host if enabled. This broad file access and unauthenticated API are scope/risk concerns.
Install Mechanism
No external binary downloads or obscure installers: package includes source, an install script writes files under the user's OpenClaw workspace and creates a symlink in ~/.openclaw/skills. Installation steps are documented; nothing in the install flow indicates a hidden external fetch of arbitrary code.
Credentials
Registry metadata lists no required env vars/config paths, but SKILL.md and code expect configurable paths and optional credentials (OPENCLAW_AGENTS_DIR, CLAWMETER_DB, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SMTP_HOST/USER/PASS, etc.). The alert integrations legitimately require credentials if you enable them. The metadata omission of the config path(s) (OpenClaw agents directory) is an inconsistency that reduces transparency about what the skill will access.
!
Persistence & Privilege
The skill is not marked 'always' and is user-invocable (normal). It does create files/symlinks under ~/.openclaw/skills and a local database. The bigger issue: an unauthenticated local HTTP API and dashboard could expose potentially sensitive usage data (and possibly session content depending on what the ingest extracts) to other local users or network services if the machine is misconfigured. That persistent local endpoint combined with filesystem ingestion increases blast radius.
What to consider before installing
ClawMeter appears to implement the advertised cost-tracking functionality, but take these precautions before installing: - Review source before running: inspect src/ingest.mjs and src/alerts.mjs to confirm they only extract token counts/metadata (and do not transmit full conversation text) and to see exactly what gets included in alerts or API responses. - Mind the undocumented access: although metadata lists no config paths, the skill reads your OpenClaw agents directory (session logs). Confirm you are comfortable with the skill parsing those files. - Protect the dashboard/API: the server is unauthenticated by default. Restrict it to 127.0.0.1, enable OS firewall rules, or run the skill in a sandbox/container or VM. If you expose the port, add an auth/reverse-proxy with TLS and credentials. - Be cautious with alert credentials: only add TELEGRAM_BOT_TOKEN or SMTP credentials if you trust the code and the external endpoints. Store secrets securely and avoid committing .env to source control. - Run initial tests in an isolated environment: run ingest and server on a throwaway account or container to verify exactly what data is collected and what the API returns. - If you plan to publish or distribute this skill, update the registry metadata to declare the config paths and any environment variables the skill may access so users are informed up front. If you want, I can: (A) point out specific lines to inspect in ingest.mjs and alerts.mjs, (B) list a short checklist of exact code locations to audit for data exfiltration, or (C) suggest a minimal wrapper (systemd or Docker) to lock the service down to localhost and a constrained filesystem.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dc0t01pbzmtxmepxvv98te1816ff3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments