Session Token Ledger
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the rebuild creates a local record of completed session usage and metadata; anyone who can read the generated assets may learn session IDs, paths, models, providers, and token totals.
The rebuild script reads local OpenClaw session transcript files and persists derived per-session ledger data, including session identifiers and file paths, into local assets.
SESSIONS_DIR = OPENCLAW_ROOT / 'agents' / 'main' / 'sessions' ... DB_PATH = ASSETS_DIR / 'session_tokens.db' ... 'session_key': session_key
Use the skill only on a trusted machine, avoid sharing the generated assets, and delete the ledger files if you no longer want this session metadata retained.
If the hook is installed, the ledger will continue updating automatically when those events occur, rather than only when manually run.
The optional hook setup creates event-triggered automation that runs the rebuild script after specific OpenClaw events.
Use this only if you want the ledger rebuilt automatically ... events ["command:new","command:reset","command:stop","gateway:startup"] ... spawnSync('python3', [SCRIPT, '--skill-dir', SKILL_DIR])Enable the hook only if you want ongoing automatic rebuilds, and remove the hook folder if you want to return to manual operation.