ClawHub

new-api-usage

v1.0.1

Query usage statistics and quota from a user-specified new-api endpoint. Use when the user asks to check API quota, usage records, token consumption, model-l...

0· 240·1 current·1 all-time
by@wang48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for querying usage/quota and the included script implements exactly that: GETs to /api/usage/token/ and /api/log/token with an explicit --base-url and --key. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md requires explicit base URL and key and instructs read-only GETs only; the script follows this. One notable behavior: the usage endpoint call sends the API key both in the Authorization header and as a query parameter (key={api_key}), which is coherent with the documented endpoint but increases risk of key exposure via logs/referrers on the server or intermediaries. The skill otherwise does not read local files, config, or extra env vars.
Install Mechanism
No install spec and no external downloads; the skill is instruction-only with an included Python script that runs with the user's Python runtime.
Credentials
No environment variables, credentials, or config paths are requested. The single required secret is the API key provided on the command line, which matches the skill's purpose.
Persistence & Privilege
Skill is not always-enabled, does not modify agent/system configs, and does not request persistent presence or elevated privileges.
Assessment
This skill appears to do what it says: it will perform read-only GET requests to the base URL you provide and requires you to pass the API key explicitly. Before running it, make sure you trust the target base URL (don't pass keys to unknown servers). Prefer HTTPS and a server you control or trust because the script sends the key in both an Authorization header and as a query parameter — query parameters can be logged or leaked via referrers. If you want to reduce exposure, consider modifying the script to avoid sending the key in the URL query string (only use the Authorization header). Also review the printed output when using --json to ensure no sensitive fields are included (the script intentionally avoids printing the full key). Finally, be aware of a possible API-response handling quirk in print_quota (the script checks quota_data.get('code') in a way that may treat some valid responses as errors); this is a correctness issue, not evidence of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h4pwcmz5p912m4d1n3pn8982drn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments