Token Usage Tracker
v1.0.0Token 使用追踪系统。记录每个对话的输入/输出 token 消耗,累计统计,预算控制。 当用户说"token统计"、"用量追踪"、"消耗了多少"、"花了我多少token"时触发。
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (token usage tracking, budgeting) matches the code and SKILL.md: functions to estimate tokens, record turns, compute stats, check budgets, and export history are implemented. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md shows example usage and describes storing prompts in the TurnUsage interface, but the implementation only records numeric token counts (it does not persist raw prompt/response text). Also the README example uses require(...) (CommonJS) while the shipped file is an ES module (.mjs with export), so the import example is incorrect — callers must use import or adjust usage. Aside from these doc mismatches, the instructions do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
There is no install spec and no downloads; this is an instruction + code-only skill with no external install artifacts. That minimizes supply-chain risk.
Credentials
The skill does not request environment variables, credentials, or config paths. Its behavior (local counting and budgeting) does not require secrets, so the lack of required env vars is appropriate.
Persistence & Privilege
The tracker persists data to disk by default (storagePath defaults to './.usage-tracker.json'). This is reasonable for a usage tracker, but users should be aware it writes a JSON file in the current working directory (or whatever storagePath is provided). No evidence of attempts to modify other skills or system-wide settings; always:false and no elevated privileges are requested.
Assessment
This skill looks coherent and locally scoped, but check two small issues before installing: (1) the SKILL.md import example uses require(...) while the file is an ES module — import it with ESM syntax or adapt as needed; (2) the README implies prompts might be recorded but the code only stores numeric token counts (it does not persist raw prompt/response text). Also note the tracker writes a JSON file by default at ./ .usage-tracker.json — if that location is sensitive, set storagePath to a secure directory with appropriate permissions. If you need the skill to keep no disk traces, do not enable it or pass a temporary in-memory path. Otherwise it is internally consistent and does not request secrets or network access.Like a lobster shell, security has layers — review code before you run it.
budgetvk973eqcs1v0z0n77pdd6ae9zth84arn2costvk973eqcs1v0z0n77pdd6ae9zth84arn2latestvk973eqcs1v0z0n77pdd6ae9zth84arn2tokenvk973eqcs1v0z0n77pdd6ae9zth84arn2trackingvk973eqcs1v0z0n77pdd6ae9zth84arn2usagevk973eqcs1v0z0n77pdd6ae9zth84arn2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.