← Back to Skills Marketplace
rusel95

Token Usage Optimizer

by Ruslan Popesku · GitHub ↗ · v1.0.5
darwinlinux ⚠ suspicious
865
Downloads
0
Stars
2
Active Installs
6
Versions
Install in OpenClaw
/install token-usage-optimizer
Description
Maximize your Claude Code subscription value with smart usage monitoring and burn rate optimization. Track 5-hour session and 7-day weekly quotas, get one-ti...
Usage Guidance
This skill appears to implement the advertised usage-monitoring functionality, but it asks you to provide your Claude access/refresh tokens and its scripts will read local credential files and may update your ~/.claude/.credentials.json automatically. Before installing or running it: - Only install from a source you trust (the registry shows unknown/unnamed origin here). Verify the repository and author. - Inspect the included scripts yourself (they're all present) and confirm you are comfortable with them reading/writing ~/.claude/.credentials.json and creating a local .tokens file. The scripts set .tokens permissions to 600, which is good, but ensure the file is stored in a safe location. - Consider running the tool in an isolated environment (container or dedicated user account) if you do not want it touching your main ~/.claude credentials. - If you proceed, keep tokens short-lived and rotate them after testing; avoid pasting long-lived credentials unless necessary. - If you want lower privilege: modify the scripts to disable the code that writes to ~/.claude/.credentials.json and require explicit user action to sync tokens. I rated this as suspicious (not malicious) because the behavior can be explained by legitimate integration needs, but the automatic modification of another app's credential file and the token-extraction guidance materially increase risk and deserve explicit user consent and review.
Capability Analysis
Type: OpenClaw Skill Name: token-usage-optimizer Version: 1.0.5 The skill bundle contains a critical shell injection vulnerability. The `scripts/setup.sh` script takes user input for `ACCESS_TOKEN` and `REFRESH_TOKEN` and writes it directly into the `.tokens` file. Other scripts (`scripts/check-usage.sh`, `scripts/auto-refresh-cron.sh`, `scripts/refresh-token.sh`) then use `source "$TOKEN_FILE"` to load these variables. An attacker could provide a crafted token (e.g., `"; evil_command #"`) during setup, leading to arbitrary code execution (RCE) when any of the sourcing scripts are run. Additionally, `scripts/check-usage.sh` uses `sed` to update the token file, which could also be vulnerable to injection if the token value is maliciously crafted. While the stated purpose is benign, these vulnerabilities allow for malicious exploitation.
Capability Assessment
Purpose & Capability
Name/description align with the code and instructions: it polls Anthropic's usage endpoint, computes burn rate, caches results, and reports. Required binaries (curl, date, grep) match the shell-script implementation and are proportional to the stated goal.
Instruction Scope
SKILL.md and scripts instruct the agent/user to locate and extract OAuth tokens from local Claude CLI files or browser DevTools. Scripts read local token files and config (~/.claude/.credentials.json, various auth.json locations) and will attempt to sync/update that credentials JSON silently — a scope expansion beyond simply reading an API to measure usage. The token-extraction guidance (searching LocalStorage/secret-tool) is sensitive and could expose credentials if followed carelessly.
Install Mechanism
No remote install or download is performed; the skill is instruction- and script-based with no installer. That keeps install risk low because nothing is fetched and executed from an untrusted URL.
Credentials
The skill declares no environment variables or external credentials but legitimately requires the user's Claude access and refresh tokens. Asking for those tokens is necessary for the stated purpose, but the skill also reads/writes other local credential files (claude CLI credentials) which increases the sensitivity of the requested secrets.
Persistence & Privilege
Scripts write to/modify an external application's credentials file (~/.claude/.credentials.json) to 'sync' tokens and also create state/cache files under /tmp and a .tokens file inside the skill directory. Modifying another tool's credential file is higher privilege than simply storing its own state and should be highlighted to users.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install token-usage-optimizer
  3. After installation, invoke the skill by name or use /token-usage-optimizer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
Version 1.0.5 - Fixed token extraction bug in auto-refresh-cron.sh (removed unnecessary quotes handling). - Changed token health check from every 1 hour to every 30 minutes for increased reliability. - Improved OAuth token sync process to be more robust, referencing ~/.claude/.credentials.json. - Updated documentation to reflect changes and add a changelog section.
v1.0.4
Replace broken auto-refresh with reliable health check. OAuth tokens last ~1 week, manual refresh via 'claude auth login' takes 30 seconds. Hourly health check alerts only when action needed. No more spam!
v1.0.3
Fix auto-refresh interval: OAuth access tokens expire ~1h (not 9h). Changed recommended cron from every 5h to every 1h to prevent token expiration errors.
v1.0.2
Fixed auto-refresh on Linux: now uses Claude CLI for reliable OAuth token refresh. No more manual updates needed!
v1.0.1
Add auto-refresh: OAuth token refresh every 5 hours via cron to prevent expiration (tokens expire ~9 hours). Includes auto-refresh-cron.sh script and updated documentation.
v1.0.0
Initial release: Smart usage monitoring for Claude Code subscriptions with burn rate optimization
Metadata
Slug token-usage-optimizer
Version 1.0.5
License
All-time Installs 2
Active Installs 2
Total Versions 6
Frequently Asked Questions

What is Token Usage Optimizer?

Maximize your Claude Code subscription value with smart usage monitoring and burn rate optimization. Track 5-hour session and 7-day weekly quotas, get one-ti... It is an AI Agent Skill for Claude Code / OpenClaw, with 865 downloads so far.

How do I install Token Usage Optimizer?

Run "/install token-usage-optimizer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Token Usage Optimizer free?

Yes, Token Usage Optimizer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Token Usage Optimizer support?

Token Usage Optimizer is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created Token Usage Optimizer?

It is built and maintained by Ruslan Popesku (@rusel95); the current version is v1.0.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments