← Back to Skills Marketplace
joe12801

Token Config Checker

by joe12801 · GitHub ↗ · v1.1.4 · MIT-0
cross-platform ⚠ suspicious
128
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install token-config-checker
Description
批量检测 token / auth JSON 配置文件有效性,并可对 access token 做在线轻量探测,自动输出脱敏报告。适用于排查 Codex/OpenAI/OpenAI 兼容客户端导出的登录配置、会话凭据文件、token 缓存文件。支持把配置分为 valid / no_quota / invalid...
Usage Guidance
This tool largely does what it says (checks token JSONs and can probe tokens), but exercise caution before using the --probe option: the enhanced script will embed your access_token and account_id inside a JSON payload and POST it to the probe URL you supply (or to a panel-style endpoint), which means tokens can be transmitted off your machine. Notable red flags in the code: a hardcoded header Authorization: 'Bearer ab87036181' and a CODEX usage URL pointing to chatgpt.com — neither is explained in the README. Recommendations: - If you only need structural checks, run the scripts without --probe (offline checks). - If you must probe, only point --probe-url to services you fully control (local network or endpoints you administer). - Review the code lines mentioned (build_codex_panel_payload and online_probe_codex_panel) so you understand exactly what is sent to probe-url. - Consider running the script in an isolated environment (air-gapped VM or container) and monitor outbound network traffic before trusting it with sensitive token files. - If unsure, ask the provider/author to explain the hardcoded Authorization value and why codex panel payloads are sent in that form; absence of a clear justification is a risk indicator.
Capability Analysis
Type: OpenClaw Skill Name: token-config-checker Version: 1.1.4 The skill bundle contains scripts (check_token_configs.py and check_token_configs_plus.py) designed to recursively scan the filesystem for sensitive JSON files containing authentication tokens, session credentials, and 'Codex' configurations. While the stated purpose is validation, the scripts are designed to transmit these highly sensitive credentials to external endpoints, including support for third-party 'management panels' using hardcoded identifiers (e.g., authIndex 'dd2b5cfe06a6586b' and a static Bearer token 'ab87036181'). The inherent risk of automated credential discovery combined with the capability to send them to arbitrary or third-party URLs (via the --probe-url argument) presents a significant risk of credential exposure.
Capability Assessment
Purpose & Capability
The name, README, SKILL.md and scripts align: they validate token JSONs, decode JWTs, check expirations, and optionally perform online probes. Those capabilities justify reading token-containing files and making HTTP requests to probe endpoints. However, the enhanced script contains CODEX-specific logic (CODEX_USAGE_URL -> 'https://chatgpt.com/backend-api/wham/usage', CODEX_UA user agent) and an unexplained hardcoded HTTP header 'Authorization': 'Bearer ab87036181' — these items are not documented in SKILL.md and lack justification in the README, which is unexpected.
Instruction Scope
SKILL.md warns that files are sensitive and recommends using --probe-url for private relays, but it does not clearly state that using --probe will send the file's access_token/account_id inside a JSON payload to the probe URL (the enhanced script builds a payload containing the token and account_id and POSTs it to the probe endpoint). That means probing can transmit full tokens to remote servers. The instructions understate this transmission and do not warn users that probe-url must be fully trusted; this is scope creep compared to a simple direct test against the service.
Install Mechanism
No install spec; it's instruction + scripts only. There is no package download or archive extraction. This minimizes installation risk.
Credentials
The skill requests no environment variables or system config, which is proportionate for a file-scanning/probing tool. However the scripts act on arbitrary filesystem paths you point them at and may send token values to remote endpoints when --probe is used. The combination of scanning sensitive files and network probes (especially the codex panel flow that embeds tokens in payloads) is sensitive and requires the user to trust the probe endpoint.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skill configs. It runs as invoked and does not escalate agent privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install token-config-checker
  3. After installation, invoke the skill by name or use /token-config-checker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.4
Make code defaults public-safe by using OpenAI official probe URL by default and remove private endpoint references from docs and code.
v1.1.3
Switch public docs examples back to OpenAI official probe URL; keep custom probe-url support for Codex/private relays.
v1.1.2
Add bilingual Chinese/English README and SKILL documentation.
v1.1.1
Polish public README and add PowerShell example for Windows users.
v1.1.0
Switch validation to Codex panel-compatible online probe, add valid/no-quota/invalid classification, and support saving each class into separate directories with index output.
v1.0.0
Initial release: batch token/auth JSON validity checker with offline checks, optional online probing, redacted reporting, and failure classification.
Metadata
Slug token-config-checker
Version 1.1.4
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 6
Frequently Asked Questions

What is Token Config Checker?

批量检测 token / auth JSON 配置文件有效性,并可对 access token 做在线轻量探测,自动输出脱敏报告。适用于排查 Codex/OpenAI/OpenAI 兼容客户端导出的登录配置、会话凭据文件、token 缓存文件。支持把配置分为 valid / no_quota / invalid... It is an AI Agent Skill for Claude Code / OpenClaw, with 128 downloads so far.

How do I install Token Config Checker?

Run "/install token-config-checker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Token Config Checker free?

Yes, Token Config Checker is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Token Config Checker support?

Token Config Checker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Token Config Checker?

It is built and maintained by joe12801 (@joe12801); the current version is v1.1.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments