Session Token Ledger
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for local token-usage auditing, but it reads OpenClaw session logs and can optionally install an automatic rebuild hook, so users should keep the generated ledger private.
This appears safe for its stated purpose if you want local token analytics. Before running it, understand that it reads completed OpenClaw session logs and creates persistent local database/markdown files. Keep those generated files private, and only install the optional hook if you want automatic updates after OpenClaw events.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the rebuild creates a local record of completed session usage and metadata; anyone who can read the generated assets may learn session IDs, paths, models, providers, and token totals.
The rebuild script reads local OpenClaw session transcript files and persists derived per-session ledger data, including session identifiers and file paths, into local assets.
SESSIONS_DIR = OPENCLAW_ROOT / 'agents' / 'main' / 'sessions' ... DB_PATH = ASSETS_DIR / 'session_tokens.db' ... 'session_key': session_key
Use the skill only on a trusted machine, avoid sharing the generated assets, and delete the ledger files if you no longer want this session metadata retained.
If the hook is installed, the ledger will continue updating automatically when those events occur, rather than only when manually run.
The optional hook setup creates event-triggered automation that runs the rebuild script after specific OpenClaw events.
Use this only if you want the ledger rebuilt automatically ... events ["command:new","command:reset","command:stop","gateway:startup"] ... spawnSync('python3', [SCRIPT, '--skill-dir', SKILL_DIR])Enable the hook only if you want ongoing automatic rebuilds, and remove the hook folder if you want to return to manual operation.