TokFlow
v0.5.0Token 消耗监控与优化分析工具。查询 LLM 模型用量、费用、各渠道余额、提问方式分析与优化建议。当用户询问 token 消耗、模型费用、优化建议、渠道余额、提问方式优化等问题时使用此技能。
⭐ 2· 918·0 current·0 all-time
byEadon Wang@wangyaok1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (token consumption monitoring, optimization, prompt stats) matches the provided code and SKILL.md. The included script only queries a local API (http://localhost:8001/api) for dashboards, models, provider balances, suggestions, analysis and prompt statistics — this is consistent with the stated purpose. No extraneous credentials or unrelated binaries are requested by the skill itself.
Instruction Scope
SKILL.md instructs the agent to run scripts/tokflow_query.py which issues HTTP requests to a local backend. The skill does not instruct reading arbitrary files or env vars itself, but explicitly states the data source is OpenClaw local JSONL session files and that provider balances are queried from platform APIs — those actions are performed by the TokFlow backend, not by this wrapper script. That means the runtime behavior and data access depend on the backend implementation; the skill delegates potentially sensitive actions (reading conversation history, contacting provider APIs) to that local service.
Install Mechanism
No install spec is present (instruction-only plus a small helper script). There are no downloads, package installs, or archive extraction. The included Python script is straightforward and only connects to localhost; nothing is written to disk by an installer as part of this skill package.
Credentials
The skill itself requests no environment variables or credentials, which is proportionate for a thin wrapper that queries a local service. However, the SKILL.md and README indicate the TokFlow backend will access OpenClaw session JSONL files and external provider APIs — that backend will therefore require access to conversation data and provider credentials. Users should verify where and how those credentials are stored and ensure the backend handles them securely.
Persistence & Privilege
Flags show always:false (not force-included) and normal autonomous invocation allowed. The skill does not request to modify other skills or system-wide settings and does not require persistent elevated privileges.
Assessment
This skill is a thin client that calls a local TokFlow service on http://localhost:8001 to get token/usage reports and suggestions; the wrapper itself is low-risk (no external downloads, no env-vars requested), but the backend it depends on will have access to your OpenClaw session files and any provider credentials needed to check balances. Before installing or using: (1) confirm you actually have a trusted TokFlow backend running on localhost (or else the calls will fail); (2) inspect and trust the TokFlow backend code/config — it will read conversation logs and may store/provider API keys; (3) ensure provider credentials are stored securely and not exposed to untrusted services; (4) if you lack assurance about the backend, run this skill in an isolated/test environment or review the backend implementation first.Like a lobster shell, security has layers — review code before you run it.
latestvk9756vhjb1r5b7sd7dw0b2cacx80ync1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.