Token Watch
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Token Watch appears to be a local token-cost tracker; the main thing to notice is that it stores usage, budget, and alert records on disk.
This looks reasonable for local AI cost tracking. Before installing, be aware that it creates local records under .tokenwatch by default, so avoid putting sensitive details in task labels and manage those files like other private usage logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your AI usage history, spending patterns, and any task labels you provide may remain on your machine and could be visible to anyone with access to those files.
The code stores usage records locally and those records can include human-readable task labels and session identifiers.
self.storage_path = Path(storage_path) ... self.usage_file = self.storage_path / "usage.json" ... task_label: Optional[str] = None ... session_id: Optional[str] = None
Use non-sensitive task labels, store the .tokenwatch directory somewhere appropriate, and delete or protect the local records if they contain private project information.