← Back to Skills Marketplace
ainclaw

TOKEN SOP

by ainclaw · GitHub ↗ · v5.6.0 · MIT-0
cross-platform ⚠ suspicious
205
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install token-sop
Description
自动缓存并复用本地成功工作流,优先本地执行节省Token,支持断网使用和云端备份共享。
Usage Guidance
This skill implements local caching and cloud backup of recorded workflows and will automatically replay cached workflows to save tokens. Before installing or enabling it: - Be aware auto_contribute is enabled by default and will upload sanitized workflow traces to the configured cloud endpoint (default https://api.ainclaw.com). If you don't want any cloud uploads, set auto_contribute=false and/or change cloud_endpoint to an internal or empty value. - Sanitization is best-effort (regex + field-name rules). Do not assume all secrets (passwords, tokens, session cookies, form fields) will always be removed. Audit saved workflows in ~/.openclaw/workflows to verify no sensitive data is present. - The skill will automatically execute cached workflows (local or cloud) when a match occurs. That means it can perform browser actions on your behalf (clicks, form submissions, navigation). If that is a risk for you, disable the skill (enabled=false) or avoid using in sensitive contexts. - If you want to use it but reduce risk: disable auto_contribute, enable local_store only, review and sanitize workflows before allowing execution, and set a restrictive cloud_endpoint. If possible, request an explicit 'prompt before replay' option from the author or inspect/modify the code to add a confirmation step. - If you plan to rely on this skill in production or on sensitive accounts, perform a manual code review and test in an isolated environment first. The code itself appears coherent with its described purpose, but the default configuration choices increase privacy/execution risk.
Capability Analysis
Type: OpenClaw Skill Name: token-sop Version: 5.6.0 The 'TOKEN SOP' skill captures browser interaction traces and automatically uploads them to a remote cloud endpoint (api.ainclaw.com) via the 'auto_contribute' feature enabled by default in skill.json. While the skill includes a PII sanitizer (sanitizer.js) designed to strip passwords and API keys, the inherent nature of exfiltrating session history and DOM metadata to a third-party server poses a high privacy risk. Furthermore, the skill executes 'Lobster' workflows fetched from the remote cloud (interceptor.js), which effectively allows the remote server to dictate browser actions on the user's machine. Although these behaviors are documented as 'token-saving' features, the combination of data exfiltration and remote workflow execution warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (local workflow caching, replay, optional cloud backup) matches the code and declared permissions (browser, lobster, sessions_history, network). Files and APIs used (filesystem, undici network client) are expected for this purpose.
Instruction Scope
SKILL.md and code direct the agent to read session history, compile traces, save workflows locally, and (by default) contribute them to a cloud endpoint. That scope matches the stated purpose, but the README/SKILL.md emphasize 'local-first' and 'privacy' while the code enables auto_contribute=true by default and will automatically execute local/cloud workflows without an explicit user confirmation step. This grants the skill broad discretion to perform automated browser actions and to upload sanitized workflow data — a behavior users may not expect.
Install Mechanism
Instruction-only install (no external installer). All dependencies are included in package.json (undici) and code is bundled in the skill; there are no downloads from untrusted URLs or extract steps. Low install risk.
Credentials
The skill requests no external credentials, only uses HOME to store workflows under ~/.openclaw/workflows. However it defaults to auto_contribute=true and a public cloud_endpoint (https://api.ainclaw.com). That means it will upload (sanitized) workflow traces to an external service by default. Sanitization is best-effort (regex + field-name rules) and may miss secrets; automatic uploads and execution create a higher-than-expected data-exfiltration risk relative to the 'local-first, private' marketing claim.
Persistence & Privilege
The skill is not always:true and does not change other skills' configs. It registers normal hooks (on_intent_received, on_session_complete) and writes its own files under the user's home directory. The automatic replay of cached workflows is a functional behavior (not a stealthy persistent privilege), but it does mean the skill can autonomously perform browser actions when matched.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install token-sop
  3. After installation, invoke the skill by name or use /token-sop
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v5.6.0
- Updated dependencies in package.json - Minor metadata adjustments in skill.json No functional changes to the skill logic.
v1.0.1
- Major documentation overhaul: SKILL.md fully rewritten for better readability and engagement. - Added user pain points, psychological analysis, and strong value propositions. - Clarified feature explanations with real-world comparisons and user scenarios. - Installation reasons and benefits made clearer for a wide audience. - Configuration table remains for quick technical reference.
v1.0.0
Initial release of token-sop. - Adds local workflow caching: automatically saves successful workflows locally for future reuse. - Enables local-first matching to minimize token usage on repeat tasks. - Supports optional cloud backup to share workflows across nodes. - Features auto-learning: caches successful executions automatically. - Provides customizable configuration for cache directory, enabling/disabling features, cloud endpoint, and timeouts.
Metadata
Slug token-sop
Version 5.6.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is TOKEN SOP?

自动缓存并复用本地成功工作流,优先本地执行节省Token,支持断网使用和云端备份共享。 It is an AI Agent Skill for Claude Code / OpenClaw, with 205 downloads so far.

How do I install TOKEN SOP?

Run "/install token-sop" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is TOKEN SOP free?

Yes, TOKEN SOP is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does TOKEN SOP support?

TOKEN SOP is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created TOKEN SOP?

It is built and maintained by ainclaw (@ainclaw); the current version is v5.6.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments