← Back to Skills Marketplace
oldyoungcn

OpenClaw Token Monitor

by OldYoung · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
117
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install openclaw-token-monitor
Description
OpenClaw Token 实时监控面板。支持:(1) SQLite 持久化存储历史数据 (2) 实时监控当前 Token 消耗(增量曲线) (3) 历史视图查看任意一天的消耗 (4) 按日/时会话汇总 (5) 人民币费用估算(MiniMax 官方定价) (6) 滚轮缩放 X 轴 (7) 图表采样防卡顿。触发场...
Usage Guidance
This skill appears to implement a local token-usage dashboard by calling the 'openclaw' CLI and saving snapshots to a local SQLite file. Before installing, consider: (1) The Node script requires '/tmp/node_modules/sql.js' via absolute path — ask the author why and ensure the runtime provides sql.js or modify the require to use a normal dependency. (2) The monitor persists session_key and per-session details in workspace/data/token_history.db — these can contain sensitive tokens/IDs; inspect that file and rotate any secrets if exposed. (3) The server listens on port 3000 and SKILL.md references a LAN IP; run it bound to localhost (or behind an authenticated proxy) and/or firewall the port if you don't want LAN access. (4) Verify the 'openclaw' CLI is legitimate and does not itself leak credentials. (5) Because part of the source was truncated in the package listing, review the full token-monitor.js for any outbound network calls or hidden endpoints before running. If you cannot audit or fix the absolute sql.js path and restrict the server, run the tool inside an isolated container/VM and limit filesystem/network exposure.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-token-monitor Version: 1.2.0 The skill provides a token monitoring dashboard that utilizes high-risk capabilities such as shell command execution (via `execFile` calling `openclaw`), network service hosting (`http.createServer` on `0.0.0.0:3000`), and file system persistence for a SQLite database. While these features are aligned with the stated purpose, the code contains several critical vulnerabilities: the `/api/daily` endpoint is susceptible to SQL injection through the `date` parameter, and the frontend dashboard is vulnerable to XSS as it renders session data without proper sanitization. Additionally, the script relies on an unusual dependency path (`/tmp/node_modules/sql.js`) and hardcodes a specific local IP address (`192.168.50.210`) in its documentation, which may indicate a poorly secured or environment-specific implementation.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
The name/description match the observed behavior: the server polls the OpenClaw CLI (openclaw sessions --active --json), computes rates/costs and persists snapshots to a local SQLite DB. Calling the OpenClaw CLI and writing a DB are expected for a token monitor. One oddity: the code requires sql.js using an absolute path (/tmp/node_modules/sql.js) rather than a normal package import; that's inconsistent with package.json (no dependencies declared) and the SKILL.md's claim of 'sql.js (WASM) no local compile needed'.
Instruction Scope
SKILL.md instructs running the included Node script which starts an HTTP server (port 3000) and polls the OpenClaw CLI every 3s. The server writes session_key and per-session details into a DB file under workspace/data/token_history.db. Persisting session_key and other session metadata is relevant to monitoring, but it is sensitive: if the server binds to non-local interfaces (the docs even show a LAN IP) or is left unprotected, those keys and usage data can be exposed. The instructions do not require or recommend restricting the listener to localhost or adding authentication.
Install Mechanism
No install spec (instruction-only plus included code), which is lower risk than downloading arbitrary code. However, the code requires initSqlJs from an absolute path (/tmp/node_modules/sql.js) rather than a module installed relative to the package — this is unusual and may indicate the script expects a preinstalled runtime artifact in /tmp, or will fail. There is no evidence of remote downloads in the provided files.
Credentials
The skill requests no env vars, which is reasonable. But it relies on executing the 'openclaw' CLI and then stores session_key values (and other session fields) to disk. Storing raw session keys/tokens is directly related to its purpose but is sensitive: without access controls the DB is a credential/secret store. The number of required credentials is zero and proportional, but the handling and storage of session keys requires caution.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It persists its own DB under workspace/data/token_history.db which is normal for this utility. It starts an HTTP server that may run indefinitely while active; that's appropriate for a monitoring dashboard but increases exposure if not bound/restricted.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-token-monitor
  3. After installation, invoke the skill by name or use /openclaw-token-monitor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Version 1.2.0 introduces new updates and improvements: - Bumped version from 1.1.1 to 1.2.0. - Updated SKILL.md metadata to reflect new version. - Made changes to server and frontend scripts (token-monitor.js, token-monitor.html). - Updated package.json for versioning and possible dependency adjustments.
v1.1.1
v1.1.1: fix IIFE scope bug, date-display stuck, cost ¥153m→¥0.15
v1.1.0
Version 1.1.0 - Bumped version to 1.1.0 in SKILL.md and package.json. - No functional changes documented in SKILL.md.
v1.0.0
OpenClaw Token Monitor v1.0.0 — 实时 Token 消耗与历史数据分析中心 - 新增 SQLite 持久化存储,消耗历史数据不丢失 - 实时监控 Token 消耗与速率,每 3 秒自动更新 - 支持按日、按小时查看历史消耗趋势和会话详情 - 基于 MiniMax 定价,自动估算人民币消耗 - 可通过滚轮缩放图表 X 轴、防卡顿采样展示 - 环形图显示会话占比,支持一键导出 PNG 图表
Metadata
Slug openclaw-token-monitor
Version 1.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is OpenClaw Token Monitor?

OpenClaw Token 实时监控面板。支持:(1) SQLite 持久化存储历史数据 (2) 实时监控当前 Token 消耗(增量曲线) (3) 历史视图查看任意一天的消耗 (4) 按日/时会话汇总 (5) 人民币费用估算(MiniMax 官方定价) (6) 滚轮缩放 X 轴 (7) 图表采样防卡顿。触发场... It is an AI Agent Skill for Claude Code / OpenClaw, with 117 downloads so far.

How do I install OpenClaw Token Monitor?

Run "/install openclaw-token-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClaw Token Monitor free?

Yes, OpenClaw Token Monitor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does OpenClaw Token Monitor support?

OpenClaw Token Monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClaw Token Monitor?

It is built and maintained by OldYoung (@oldyoungcn); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments