Token Watch
v1.2.3Track and analyze token usage and costs across AI providers with budget alerts, model cost comparison, optimization tips, and local data storage.
⭐ 0· 589·0 current·0 all-time
byvs@vedantsingh60
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name, README, manifest and SKILL.md all describe local-only token tracking, budgeting, model comparison and export features; the single Python file contains a pricing table and classes to record usage and budgets. No external credentials, binaries, or unrelated capabilities are requested, so the required resources are proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to import TokenWatch, record usage (manually or via provider response objects), set budgets, and export reports. The instructions reference only a local storage path (.tokenwatch) and provider response objects; they do not instruct reading unrelated system files or accessing external endpoints. The autohooks to parse Anthropic/OpenAI response objects are expected for this purpose.
Install Mechanism
This is an instruction-only skill with source included; there is no install spec and no downloads. It relies only on the standard library. That is the lowest-risk install model and consistent with the claim of 'zero dependencies'.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That aligns with the manifest and SKILL.md claim that it works locally and needs no API keys.
Persistence & Privilege
The skill stores data locally under the .tokenwatch directory (documented). It is not always-enabled and does not request elevated system privileges. Note: local storage of detailed usage could contain sensitive prompts/data depending on what you record—this is expected for a monitoring tool but worth being aware of.
Assessment
This package appears internally consistent with its stated purpose: a local-only token/cost monitor that needs no API keys. Before installing or enabling it for an agent, do the following: 1) Inspect the full tokenwatch.py file (and run it in a sandbox) to verify there are no network calls or unexpected behavior—while the imports shown are standard-library-only, you should confirm the truncated part of the shipped file is syntactically correct; 2) Be aware it writes usage and alerts to a .tokenwatch directory on disk—avoid recording sensitive prompt content there or protect the directory with file system permissions; 3) If you plan to pass provider response objects into the monitor, confirm those response objects do not themselves contain secrets you don't want stored; 4) Because the included file preview showed what looks like a truncated/typoed default (e.g., 'per_call_usd: Optional[float] = N'), run the package (or a linter) to ensure it runs without error—if an error exists, contact the maintainer or review the source on the linked repository before use. Overall this looks coherent and appropriate for the described function, but audit the shipped Python file and storage path before trusting it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk970z2x8eay7zzratwq5dhezw18188td
License
MIT-0
Free to use, modify, and redistribute. No attribution required.