← Back to Skills Marketplace
fantasyengineercdream

ClawUsage Windows Hardlock

by fantasyengineercdream · GitHub ↗ · v0.2.1
cross-platform ⚠ suspicious
514
Downloads
0
Stars
0
Active Installs
11
Versions
Install in OpenClaw
/install clawusage-windows-hardlock
Description
Run local clawusage monitoring commands from chat (Telegram/Feishu). Use when user types `/clawusage ...` or asks to check Codex usage, enable/disable auto i...
README (SKILL.md)

ClawUsage Chat Command

Run bundled local scripts and return command output directly.

Command source:

  • scripts/clawusage.ps1 bundled inside this skill package

Supported arguments:

  • now
  • usage
  • status
  • help
  • lang
  • lang english
  • lang chinese
  • auto on [minutes]
  • auto off
  • auto set \x3Cminutes>
  • auto status
  • doctor
  • -help

Execution rules:

  1. Parse user input after /clawusage.
  2. If no argument is provided, default to usage.
  3. Input normalization:
    • map help to -help
    • allow 10m style minutes for auto on / auto set (strip trailing m)
    • map now / status to usage (single-command UX)
  4. Resolve skill script directory in this order:
    • $env:USERPROFILE\\.openclaw\\workspace\\skills\\clawusage\\scripts
    • $env:USERPROFILE\\.openclaw\\skills\\clawusage\\scripts
    • first recursive match under $env:USERPROFILE\\.openclaw\\ ending with \\clawusage\\scripts
  5. Prefer text-packaged script files (ClawHub-safe):
    • clawusage.ps1.txt
    • openclaw-usage-monitor.ps1.txt
    • clawusage-auto-worker.ps1.txt Fallback to direct .ps1 files only for local dev installs.
  6. Materialize runtime files under:
    • $env:USERPROFILE\\.clawusage\\skill-runtime
    • write clawusage.ps1, openclaw-usage-monitor.ps1, clawusage-auto-worker.ps1
  7. Run exactly one local command:
    • & powershell -NoProfile -ExecutionPolicy Bypass -File "\x3Cruntime_root>\\clawusage.ps1" \x3Cargs>
  8. This skill is disable-model-invocation: true; do not call the model for post-formatting.
  9. Return stdout directly. Do not rewrite, summarize, or translate command output.
  10. Do not run unrelated commands.
  11. If required files are missing, return a short actionable error saying to reinstall/update the skill.

Path-resolution snippet (PowerShell):

$scriptDirs = @(
  "$env:USERPROFILE\.openclaw\workspace\skills\clawusage\scripts",
  "$env:USERPROFILE\.openclaw\skills\clawusage\scripts"
)
$dir = $scriptDirs | Where-Object { Test-Path -LiteralPath $_ } | Select-Object -First 1
if (-not $dir) {
  $dir = Get-ChildItem -Path "$env:USERPROFILE\.openclaw" -Recurse -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.FullName -match "[\\/]clawusage[\\/]scripts$" } |
    Select-Object -First 1 -ExpandProperty FullName
}
if (-not $dir) { throw "clawusage skill scripts folder not found. Reinstall clawusage skill." }

$runtimeRoot = Join-Path $env:USERPROFILE ".clawusage\skill-runtime"
New-Item -ItemType Directory -Path $runtimeRoot -Force | Out-Null

$pairs = @(
  @{ target = "clawusage.ps1"; srcTxt = "clawusage.ps1.txt"; srcPs1 = "clawusage.ps1" },
  @{ target = "openclaw-usage-monitor.ps1"; srcTxt = "openclaw-usage-monitor.ps1.txt"; srcPs1 = "openclaw-usage-monitor.ps1" },
  @{ target = "clawusage-auto-worker.ps1"; srcTxt = "clawusage-auto-worker.ps1.txt"; srcPs1 = "clawusage-auto-worker.ps1" }
)
foreach ($p in $pairs) {
  $srcTxt = Join-Path $dir $p.srcTxt
  $srcPs1 = Join-Path $dir $p.srcPs1
  $dst = Join-Path $runtimeRoot $p.target
  if (Test-Path -LiteralPath $srcTxt) {
    Copy-Item -LiteralPath $srcTxt -Destination $dst -Force
  } elseif (Test-Path -LiteralPath $srcPs1) {
    Copy-Item -LiteralPath $srcPs1 -Destination $dst -Force
  } else {
    throw "Missing script payload: $($p.srcTxt) (or $($p.srcPs1)). Reinstall clawusage skill."
  }
}

& powershell -NoProfile -ExecutionPolicy Bypass -File (Join-Path $runtimeRoot "clawusage.ps1") @args

\r \r

Usage Guidance
This skill will copy bundled PowerShell files into your user profile, read OpenClaw session logs and the local auth-profiles.json, and make an outbound request to https://chatgpt.com/backend-api/wham/usage using the token it finds. That can expose or transmit your local credentials to a remote endpoint. If you want to install it, first: (1) inspect the three included scripts locally (they're in the skill package) to confirm behavior and the exact endpoints called; (2) do not enable the 'auto' scheduled task unless you trust the code and endpoint; (3) consider running it in a restricted/test account or offline to verify what data it prints; and (4) ask the publisher to explicitly state why a bearer token is needed and which remote host will receive it. If you are uncomfortable with local token access or unknown network calls, do not install or run the skill.
Capability Analysis
Type: OpenClaw Skill Name: clawusage-windows-hardlock Version: 0.2.1 The skill implements several high-risk behaviors that, while aligned with its stated purpose of monitoring usage, constitute a significant attack surface. Specifically, 'openclaw-usage-monitor.ps1' programmatically extracts Bearer tokens from the user's 'auth-profiles.json' to make direct HTTPS requests to 'chatgpt.com', and 'clawusage.ps1' establishes persistence by installing a Windows Scheduled Task ('ClawUsageAuto') to run background workers. While no clear evidence of data exfiltration to unauthorized third parties was found, the automated handling of credentials and system-level persistence mechanisms warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's name/description match the included PowerShell scripts: it inspects local OpenClaw session and usage data to report quotas and set idle alerts. Reading .openclaw workspace files and materializing/running local PS1 scripts is coherent with its stated monitoring purpose. However, extracting an auth token from OpenClaw's auth-profiles.json to query remote usage is a higher-privilege action than a simple local monitor and is not explicitly documented in the SKILL.md.
Instruction Scope
The runtime scripts (openclaw-usage-monitor.ps1 and clawusage-auto-worker.ps1) parse local session logs and auth-profiles.json to compute token/usage data, and they perform an outbound HTTPS call to https://chatgpt.com/backend-api/wham/usage using a bearer token taken from the local auth file. The SKILL.md does not explicitly state that local credentials will be read or that external network calls will be made with those tokens. That combination (reading local creds + remote call) is sensitive and worth scrutiny.
Install Mechanism
Instruction-only skill with bundled .txt PowerShell scripts; no downloads or third-party install steps. It will copy packaged text files into a runtime folder under %USERPROFILE% and execute them. No external install URLs or extracted archives are used.
Credentials
The skill declares no required env vars or credentials, yet the scripts access user files (e.g., %USERPROFILE%\.openclaw\agents\main\agent\auth-profiles.json and session logs) and optionally include local tokens in output. Using a locally stored auth token to call an external API is not reflected in the metadata and is disproportionate for a 'view usage' description unless the user expects the tool to use that token.
Persistence & Privilege
The scripts can create a persistent runtime directory under %USERPROFILE% (\.clawusage\skill-runtime) and can register a Windows Scheduled Task (ClawUsageAuto) to run the background worker at intervals. This is consistent with 'auto idle alerts' functionality but is a persistent change that will run periodically in the user's account.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawusage-windows-hardlock
  3. After installation, invoke the skill by name or use /clawusage-windows-hardlock
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Route A hardening: publish-safe script payload (.ps1.txt), runtime rehydration to .clawusage/skill-runtime, and skill-only execution path that no longer depends on global clawusage.cmd.
v0.2.0
Route A pure-skill packaging: bundle runtime scripts in skill, switch to writable user-state path, and enable direct /clawusage execution without external repo runtime.
v0.1.9
Route A start: package runtime scripts inside skill folder so /clawusage can run from skill install, add UTF-8 output hardening, and improve Chinese UI readability.
v0.1.8
Switch to single-command usage UX (/clawusage => usage), improve live speed with direct Codex usage path, and simplify Telegram command parsing.
v0.1.7
Add doctor command, speed up default cache path, and migrate legacy popup scripts to no-popup chat-safe shims.
v0.1.6
Default /clawusage to help, add one-time language hint, and support cached fast status.
v0.1.5
Default /clawusage to help and add one-time language setup hint.
v0.1.4
Improve chat readability with action-specific compact output templates.
v0.1.2
Fix default status path, add lang switch, and support help/status/10m inputs.
v0.1.1
Add status/help/lang support and split clawusage as standalone project.
v0.1.0
Initial public release.
Metadata
Slug clawusage-windows-hardlock
Version 0.2.1
License
All-time Installs 1
Active Installs 0
Total Versions 11
Frequently Asked Questions

What is ClawUsage Windows Hardlock?

Run local clawusage monitoring commands from chat (Telegram/Feishu). Use when user types `/clawusage ...` or asks to check Codex usage, enable/disable auto i... It is an AI Agent Skill for Claude Code / OpenClaw, with 514 downloads so far.

How do I install ClawUsage Windows Hardlock?

Run "/install clawusage-windows-hardlock" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ClawUsage Windows Hardlock free?

Yes, ClawUsage Windows Hardlock is completely free (open-source). You can download, install and use it at no cost.

Which platforms does ClawUsage Windows Hardlock support?

ClawUsage Windows Hardlock is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ClawUsage Windows Hardlock?

It is built and maintained by fantasyengineercdream (@fantasyengineercdream); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments