Google AI Usage Monitor
v1.0.0Monitor Google AI Studio (Gemini API) usage, rate limits, and quota consumption with automated alerts.
⭐ 1· 1.4k·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to monitor Google AI Studio usage via browser automation and send alerts to Discord — that purpose is plausible. However, the skill requests no credentials or webhooks yet instructs accessing a protected Google usage dashboard and posting to a Discord channel. Legitimate implementations would normally require explicit authentication details (OAuth/service account, API credentials, or a Discord webhook/token). The omission is inconsistent with the described capability.
Instruction Scope
SKILL.md directs the agent to open the Google AI Studio usage page using a named browser profile (profile=openclaw) and parse live dashboard data. That implies the agent will access the user's authenticated Google session and potentially any data available in that session. The instructions do not limit access to only usage metrics and do not describe how to obtain consent or restrict scope. They also assume the ability to post to Discord without specifying how authentication is performed.
Install Mechanism
This is an instruction-only skill with no install steps and no code files, so there is no download/execute footprint to review. That lowers supply-chain risk, but runtime actions (browser automation, posting to external channels) remain significant.
Credentials
No required environment variables or primary credential are declared, yet the workflow clearly needs authenticated access to a Google account/project and a way to send Discord messages (webhook or bot token). The absence of declared credentials is disproportionate and unclear — it suggests the skill expects to reuse existing browser sessions or platform-level secrets without explicitly stating or limiting them.
Persistence & Privilege
always:false and standard autonomous invocation are fine. The SKILL.md includes a cron job example and delivery instructions for posting to Discord, which implies autonomous periodic checks. Autonomous invocation combined with implicit use of an agent browser profile increases the blast radius if credentials/sessions are broad, so you should be cautious even though no 'always:true' or installer-level persistence is requested.
What to consider before installing
Before installing or enabling this skill, ask the author how authentication is performed and avoid giving it access to your primary Google session. Prefer a least-privilege approach: use an explicit service account or monitoring API (not dashboard scraping) with only read/monitoring permissions, and provide a scoped Discord webhook or bot token dedicated to alerts. Do not rely on a shared browser profile (profile=openclaw) unless you understand exactly which account/session it will use; that profile could expose unrelated Google data. If you must use this skill, run it in an isolated agent/session, insist the skill declare required env vars (Google credentials or service account, DISCORD_WEBHOOK_URL or bot token), and review any actual code (if provided) to confirm it only reads the intended dashboard endpoints and only posts to the specified channel. If the source/author is unknown or you cannot supply scoped credentials, treat this skill as risky and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk975csp6ncxwbjxkap7eq1wyd180pjax
License
MIT-0
Free to use, modify, and redistribute. No attribution required.