RedLine
ReviewAudited by ClawScan on May 10, 2026.
Overview
RedLine’s goal is coherent, but it asks the agent to use local OAuth/session credentials and run missing, unreviewed scripts on every heartbeat.
Treat this as needing review before installation. The usage-pacing idea is legitimate, but do not connect it to heartbeat or let it read Keychain/auth-profile tokens until the actual scripts are included, reviewed, and the credential/config requirements are accurately declared.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may not provide the advertised scripts, or could lead the agent/user to run scripts from an unreviewed location if they are added separately.
The package contains only documentation, while SKILL.md and README.md repeatedly reference executable scripts such as scripts/claude-usage and scripts/openai-usage. This creates a provenance and review gap for the core functionality.
2 file(s): README.md (3101 bytes), SKILL.md (3180 bytes)
Do not wire this into heartbeat until the actual scripts are included in the package and reviewed. The registry metadata should match the files and capabilities actually shipped.
A script with access to these tokens could potentially act as the user against the corresponding provider account, not just read usage limits.
The skill directs access to local OAuth/session credential stores for Claude and OpenAI. That access is related to usage checking, but the metadata declares no credentials or config paths and the implementation is absent, so token handling cannot be verified.
Reads the Claude Code OAuth token from macOS Keychain ... Reads the OpenAI OAuth token from OpenClaw's auth-profiles
Only use reviewed scripts that narrowly read the documented token locations, call the intended provider usage endpoints, and never log, copy, or transmit tokens elsewhere.
If the heartbeat is configured, the agent may repeatedly execute unknown or missing local commands during normal operation.
The heartbeat instructions call for recurring local command execution, but those scripts are not present in the reviewed package. This makes the automatic execution target unclear.
Run `scripts/claude-usage --json` and `scripts/openai-usage --json` to check rate limits.
Avoid adding these commands to heartbeat until the scripts are present, pinned to a known path, and reviewed for safe behavior.
Stored usage state could influence future behavior, such as making the agent conserve or skip work; if the state is wrong or tampered with, pacing decisions may be wrong.
The skill persists account usage and budget state for reuse by the agent. This is disclosed and purpose-aligned, but it becomes part of ongoing agent context.
Store readings in memory/heartbeat-state.json under "usage.claude" and "usage.openai".
Keep this state file scoped to usage metrics only, avoid storing tokens, and let the user inspect or reset it.