ClawHub

Cost Guardian by Dexter Labs

v1.0.0

Monitor and control OpenClaw API costs. Tracks token usage across all sessions, estimates spend by model, alerts on budget overruns, and recommends cheaper m...

0· 52·0 current·0 all-time
by@tso1079
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (cost monitoring and optimization) aligns with the included script and SKILL.md. The script reads OpenClaw session data (~/.openclaw/agents/<agent>/sessions/sessions.json) and computes per-model/session cost estimates and recommendations — this is exactly what the skill claims to do. Requiring python3 is appropriate.
Instruction Scope
SKILL.md stays focused on cost reporting and optimization, and the script only reads a local sessions.json and prints or emits JSON reports. Two items to note: (1) SKILL.md asks the agent to create cron jobs to run the script and to "deliver the report via your preferred channel" — that grants the agent discretion to modify system crontab and to send the report over whatever delivery channel the agent uses (chat, email, webhook, etc.). These behaviors are consistent with 'automated reports' but are broader system actions than simply reading session data. (2) The script will exit with an error if the session file is missing; not a security problem but could cause noisy cron output.
Install Mechanism
No install spec (instruction-only plus a python script) — nothing is downloaded or extracted. Lowest risk for install mechanism; only requires a local python3 interpreter which is declared.
Credentials
The skill requests no environment variables or credentials. It reads the user's OpenClaw session store (a local file) which is necessary for cost calculation. There are no unrelated secrets requested.
Persistence & Privilege
Metadata does not request elevated or persistent privileges (always:false). However, SKILL.md explicitly instructs the agent to create cron jobs (system crontab changes) for automated reports. That is a legitimate feature for automation but is a system modification that the user should approve or perform manually.
Assessment
This skill appears to do what it says: it reads the OpenClaw sessions.json in your home directory, computes estimated costs, and prints or outputs JSON. Before installing/using: 1) Inspect ~/.openclaw/agents/<agent>/sessions/sessions.json to understand what data will be read (it may include conversation metadata and token counts or even message text). 2) Run scripts/cost-report.py locally once to review output and ensure the path and agent-id are correct. 3) If you don't want an agent to modify your system, set up the cron job yourself rather than giving the agent instructions to create it; cron entries will run with whatever permissions the user has. 4) Be aware that "deliver via your preferred channel" means the agent may transmit report contents over chat/email/webhooks — if your reports contain sensitive text snippets, route them carefully. 5) If you need different pricing, update the MODEL_PRICING dict in the script. Overall the skill is coherent and contained, but grant automation (crontab or delivery) only with explicit consent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744hk5rw1b86z55wn1hzd5zs83kv2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binspython3

Comments