Clawmeter
PassAudited by ClawScan on May 10, 2026.
Overview
ClawMeter appears purpose-aligned, but users should be comfortable with it reading OpenClaw session logs, running a local dashboard, and optionally sending budget alerts through Telegram or email.
Before installing, verify the package source because the registry metadata does not provide a homepage/source and the docs contain placeholder repository instructions. If you use it, keep the dashboard local, protect the generated database, review which OpenClaw log directory it monitors, and use dedicated Telegram/SMTP credentials for alerts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may have less ability to verify where the package came from or compare it against an upstream repository.
The package is presented without a clear source or homepage, while the skill documentation relies on external setup steps. This creates a provenance gap users should verify before running npm-based setup commands.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the package contents and source before installing, and be cautious with placeholder repository instructions.
Your local OpenClaw usage history, costs, model choices, session identifiers, and related metadata may be indexed into ClawMeter’s local database.
The skill reads OpenClaw session logs across agents and persists extracted usage/cost data in its database. This is expected for cost tracking, but session logs can reflect sensitive work patterns and metadata.
ClawMeter watches your `~/.openclaw/agents/*/sessions/*.jsonl` files for changes.
Use it only if you are comfortable with this local monitoring, review the configured log and database paths, and protect or delete the generated database as needed.
If configured, ClawMeter can use your bot token or email account credentials to send budget alerts.
Optional Telegram and SMTP credentials are documented for alert delivery. This is purpose-aligned, but users should treat those credentials as sensitive.
TELEGRAM_BOT_TOKEN=your_bot_token ... SMTP_USER=your@email.com ... SMTP_PASS=your_app_password
Use least-privilege bot/app passwords, avoid reusing primary passwords, and do not commit `.env` files.
If the local port is exposed beyond your machine, others could query spending summaries, session metadata, and alert history.
The dashboard/API is intentionally unauthenticated and intended for localhost use. This is common for a local tool, but it should not be exposed to other users or networks.
No authentication - Documented as local-only, acceptable for v0.1.0
Keep the service bound to localhost, do not expose port 3377 publicly, and add authentication before any remote or team deployment.
After you start the server, ClawMeter will continue monitoring session logs until the process is stopped.
The skill includes a long-running watcher that automatically ingests new log data while the dashboard server is running. It is disclosed and aligned with the product purpose.
Auto-Ingestion — Watches your session logs and ingests new data automatically
Run it only when you want monitoring enabled, and stop the server when you no longer need real-time tracking.