← Back to Skills Marketplace
OpenClaw Output Metrics Footer
by
udaymanish6
· GitHub ↗
· v0.2.1
· MIT-0
80
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-output-metrics-footer
Description
Install, configure, maintain, or troubleshoot a compact OpenClaw output footer that shows live context usage, output tokens, Codex quota remaining, model use...
Usage Guidance
This extension does what it advertises (adds a metrics footer) but it also reads your OpenClaw auth profile file to extract an OAuth token and sends that token to an external endpoint (chatgpt.com/backend-api/wham/usage) to obtain quota info. Before installing: 1) Inspect the auth-profiles.json contents on your system to confirm what secrets are stored there and whether you are comfortable allowing a plugin to read them. 2) Verify the external endpoint is trustworthy — consider replacing or redirecting the quota call to a provider you control or to an official API (openai.com) if possible. 3) If you want to reduce risk, edit index.ts to (a) remove automatic auth-file reads and require an explicit, limited read-only quota token in the plugin config, or (b) omit quota fetching entirely so tokens never leave the host. 4) Restrict enabledChannels/disabledConversations to non-sensitive channels and test in an isolated environment before deploying to production. 5) Note the metadata omission: the skill does not declare it needs access to auth files/credentials; treat that as a red flag and prefer explicit consent or code changes that make credential usage transparent.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-output-metrics-footer
Version: 0.2.1
The skill's extension (index.ts) programmatically accesses the OpenClaw credential store at '~/.openclaw/agents/main/agent/auth-profiles.json' to extract OAuth access tokens. While this is used for the stated purpose of fetching usage metrics from 'https://chatgpt.com/backend-api/wham/usage', the direct reading of sensitive authentication files and the use of those tokens in network requests constitutes a high-risk behavior that could be repurposed for data exfiltration.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's name/description (append an output footer with token/context/quota metrics) matches the code: it listens to llm_output and message_sending and composes a footer. However the code reads the local OpenClaw auth profile file (~/.openclaw/agents/main/agent/auth-profiles.json) to extract an openai-codex OAuth token and uses that token to call https://chatgpt.com/backend-api/wham/usage. Reading the agent auth store and doing an external fetch with a bearer token is not reflected in the skill metadata (no required config paths or credentials), so this access is disproportionate or at least insufficiently disclosed.
Instruction Scope
The SKILL.md/README instructs copying the extension and updating openclaw.json but does not declare that the extension will read the agent auth-profiles.json file or that it will make outbound network calls carrying an OAuth bearer token. The code's behavior (reading local auth store and making quota requests) is outside what the prose explicitly lists as required resources, creating an information gap that could hide sensitive access.
Install Mechanism
No automated install script or remote downloads are used: the extension template is copied locally. This is low-risk from an install-download perspective (no remote arbitrary code fetch).
Credentials
The package declares no required env vars or config paths, yet the code reads the agent auth profile file to extract an access token. Using a bearer token to call an external service (chatgpt.com) is sensitive: while a token is logically needed to fetch quota, the code does not ask the user to opt in or document the specific endpoint in the SKILL.md, and the chosen domain is atypical (not an official openai.com admin endpoint), increasing the risk that a token could be sent to an unexpected service.
Persistence & Privilege
The plugin registers long-lived hooks (llm_output and message_sending) — which is normal — but it also reads other agent configuration (auth-profiles.json). Accessing the agent's credential store means the plugin can observe tokens belonging to the agent; this is a higher privilege than the README/metadata claims and should be treated carefully. The plugin is not 'always:true' and does not modify other skills, but the credential access is notable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-output-metrics-footer - After installation, invoke the skill by name or use
/openclaw-output-metrics-footer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Parse current Codex quota usage windows
v0.2.0
Expand footer support from Discord-only to all OpenClaw text channels
Metadata
Frequently Asked Questions
What is OpenClaw Output Metrics Footer?
Install, configure, maintain, or troubleshoot a compact OpenClaw output footer that shows live context usage, output tokens, Codex quota remaining, model use... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install OpenClaw Output Metrics Footer?
Run "/install openclaw-output-metrics-footer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Output Metrics Footer free?
Yes, OpenClaw Output Metrics Footer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw Output Metrics Footer support?
OpenClaw Output Metrics Footer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Output Metrics Footer?
It is built and maintained by udaymanish6 (@udaymanish6); the current version is v0.2.1.
More Skills