Kimi Usage Monitor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its quota-monitoring purpose, but it needs review because it uses your logged-in browser session and can allow autonomous subagent work even when quota checks fail.
Review before installing. Use this only if you are comfortable granting it OpenClaw browser access to your logged-in Kimi console. Keep browser access scoped to the Kimi tab if possible, change the guard to fail closed on errors, and enable the hourly cron/OpenClaw job only if you truly want ongoing monitoring.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If OpenClaw reports other browser targets, the skill may inspect unrelated tabs while trying to locate Kimi. The artifacts do not show exfiltration, but the access is broader than the stated quota-checking purpose requires.
The script snapshots each reported browser target ID until it finds Kimi, instead of first limiting snapshot access to a verified kimi.com tab. That can expose non-Kimi browser page contents to the skill process.
matches = re.findall(..., tabs_output) ... for target_id in matches: snap_result = subprocess.run(["openclaw", "browser", "snapshot", "--target-id", target_id], ...)
Filter the tab list by URL before calling the snapshot command, disclose the exact browser access needed, and attach only the Kimi console tab when using the skill.
Automated workflows could spawn subagents or continue intensive work when quota status is unknown, potentially wasting quota or increasing costs.
The subagent guard explicitly allows spawning when the quota check fails, even though the skill is meant to prevent excessive autonomous usage.
"can_spawn": True, "error": data["error"], "note": "Defaulting to allow due to check failure"
Fail closed by default when usage cannot be verified, and require an explicit user override before allowing subagents or intensive operations.
Users may not realize from registry metadata that the skill needs browser-control tooling and an active logged-in Kimi session.
The registry metadata does not declare the Python/OpenClaw/Chrome/session prerequisites that the README, SKILL.md, and scripts require.
Required binaries (all must exist): none ... Primary credential: none
Declare Python/OpenClaw/Chrome requirements and the authenticated browser-session dependency in metadata or installation requirements.
If enabled, the monitor may keep accessing the Kimi console on a schedule even after the immediate task is done.
The skill suggests a recurring scheduled job. This is disclosed and user-directed, but it would keep running periodically until removed.
Hourly monitoring cron: ... Add to crontab or OpenClaw jobs ... 0 * * * * cd /path/to/kimi-usage-monitor && python3 scripts/usage_logger.py
Only add the cron/OpenClaw job if continuous monitoring is intended, and document how to disable or remove it.