← 返回 Skills 市场

Ai Bill Clawhub

Name: Ai Bill Clawhub
Author: fumarole16-afk

作者 fumarole16-afk · GitHub ↗ · v2.2.5

cross-platform ⚠ suspicious

1439

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ai-bill-clawhub

功能描述

Real-time AI API usage tracking and cost monitoring for OpenClaw. Track spending across OpenAI, Claude, Gemini, Kimi, DeepSeek, and Grok with live dashboard....

使用说明 (SKILL.md)

AI Bill Intelligence

Real-time billing dashboard for OpenClaw. Accurate token-based cost tracking across 12+ AI providers.

🚀 Installation

openclaw skill install https://github.com/fumabot16-max/bill-project

🛠 Usage

The skill operates via a background collector. As an agent, you can help the user by:

Reporting Usage: Read /root/.openclaw/workspace/bill_project/dist/usage.json to summarize spending.
Updating Balances: Redirect the user to the /setup page or update vault.json on their behalf.
Checking Health: Ensure the ai-bill service and collector.js are running.

⚙️ Configuration

Port: Default is 8003.
Modes: prepaid, postpaid, subscribe, unused (off).

📂 Managed Files (Declarations)

This skill manages the following data files inside the app/ directory:

app/vault.json: User-defined balances and payment modes.
app/prices.json: AI model pricing data.
app/cumulative_usage.json: Archived costs from expired sessions.
app/dist/usage.json: Real-time aggregated usage data for the dashboard.
app/debug.log: Collector activity logs.

Built by Tiger Jung & Chloe (@fumarole16-afk). \x3C!-- Sync trigger: Fri Feb 20 22:36:10 KST 2026 -->

安全使用建议

Do not run the included installer or setup scripts without manual review. Specific risks to consider: - The collector reads agent session files (/root/.openclaw/agents/...) and the OpenClaw config — these can contain sensitive runtime/session metadata; confirm you are comfortable with that access. - Installer.sh uses sudo to install systemd services and writes to system locations (/etc/systemd/system, /var/www/html). That gives persistent, privileged background processes; only allow if you trust the code and run it on an isolated host. - Several repository and path names are inconsistent (bill-project vs project-bill vs ai-bill etc.) and SKILL.md paths don't always match code. This could be sloppy or indicate copy-paste errors; it is a red flag — verify the canonical source repository and inspect it yourself. - The web UI includes weak client-side locking (hard-coded SECURE_CODE = "1234") and the collector writes usage to /var/www/html, which may expose billing/session data publicly without authentication. Recommendations: 1) Inspect the full code locally (collector.js, installer.sh, setup.js) before running anything. Search for all file reads/writes and network calls. 2) If you want to try it, run on an isolated VM/container (not your primary machine) and do not run installer.sh with sudo until you’ve audited the service unit files it would install. 3) Remove or change any code that writes usage to a public webroot, and protect the dashboard with a real server-side auth mechanism. 4) Confirm the authoritative GitHub repository and verify checksums/releases instead of piping curl|bash from an unknown URL. 5) If you cannot audit the code, prefer an alternative tool from a known, trusted source.

功能分析

Type: OpenClaw Skill Name: ai-bill-clawhub Version: 2.2.5 The skill is classified as suspicious due to several high-risk capabilities and questionable practices. The `app/collector.js` script reads sensitive OpenClaw agent session data (`/root/.openclaw/agents/main/sessions/sessions.json` and `/root/.openclaw/openclaw.json`) and performs high-privilege writes to system-wide web server directories (`/var/www/html/bill/usage_live.json`, `/var/www/html/bill/usage.json`). Additionally, the `app/sync_prices.sh` script declares fetching prices from a specific GitHub repository (`openclaw/project-bill`) but then hardcodes the content, creating a discrepancy that raises supply chain concerns. A hardcoded weak password ('1234') for a client-side lock screen is also present in `app/index.html`, indicating poor security hygiene. While these actions are not explicitly malicious, they represent significant vulnerabilities and powerful capabilities that could be exploited.

能力评估

ℹ Purpose & Capability

The code implements a realtime billing/usage dashboard which aligns with the skill name/description. However there are multiple mismatches (installer and README reference different GitHub repo names: bill-project vs project-bill vs project-bill-master; several file paths differ across SKILL.md, collector.js, and scripts). The installer and scripts also attempt system-level actions (sudo, systemd service installation, writing to /var/www/html) that are beyond a simple in-agent billing helper and are disproportionate unless you expect a self-hosted system service.

⚠ Instruction Scope

SKILL.md explicitly directs an agent to read files under /root/.openclaw/workspace/bill_project/... and to update vault.json on the user's behalf. The collector code reads agent session data (/root/.openclaw/agents/main/sessions/sessions.json) and the OpenClaw config (/root/.openclaw/openclaw.json). Reading those paths can surface sensitive session/config information; writing vault.json or updating config is a scope-expanding action. There are also inconsistent references to usage.json locations (SKILL.md vs code).

⚠ Install Mechanism

Although registry metadata shows 'instruction-only', the bundle includes an installer script that downloads a zip from GitHub (curl/wget -> unzip -> npm install) and runs privileged actions. The installer uses sudo to copy systemd unit files and enable/start services. The repository URLs and archive names are inconsistent (bill-project vs project-bill), which is sloppy and increases risk (a crafted URL mismatch could point to an unexpected repo). The sync_prices.sh script writes fabricated pricing (adds 'GPT-9-ULTRA') and writes to a root path; using curl/wget + unzip + npm install from remote sources is higher risk and should be treated as arbitrary code execution if run.

⚠ Credentials

The skill declares no required environment variables or credentials, yet the collector and server access many system paths (agent sessions, OpenClaw config, /root/.openclaw workspace files) and write to system locations (/var/www/html). Accessing agent session files and the OpenClaw config can expose conversation metadata and runtime defaults. The lack of declared credentials while code touches these sensitive files is a mismatch and reduces transparency about what will be accessed.

⚠ Persistence & Privilege

Installer.sh attempts to create systemd services (copies files to /etc/systemd/system and enables/starts them) or to start background Node processes. That creates persistent background collectors running as system services and requires sudo. The skill does not declare 'always: true' but the installer’s use of systemd and nohup gives it persistent presence and elevated privileges if the user runs the installer with sudo.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ai-bill-clawhub
安装完成后，直接呼叫该 Skill 的名称或使用 /ai-bill-clawhub 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.2.5

**Improved structure and file management for AI Bill Intelligence** - Migrated all app and data files into a dedicated app/ directory for better organization. - Updated configuration and usage documentation, with clearer setup and agent instructions. - Expanded support for managing multiple AI providers and billing modes. - Skill now explicitly manages key data files for usage, pricing, balances, and logs. - Multiple new files added for improved dashboard assets, collector operation, and service scripts. - Removed obsolete root-level files to reduce clutter.

v2.1.0

- Renamed skill from "ai-bill-clawhub" to "ai-bill-intelligence." - Expanded provider support: now tracks usage and costs for OpenAI, Claude, Gemini, Kimi, DeepSeek, and Grok. - Improved documentation with clear setup steps, configuration instructions, and usage examples. - Added guidance for pricing configuration and troubleshooting service status/logs. - Emphasized real-time dashboard features for monitoring spending, balances, and cost trends.

v2.0.0

Major update: New version with rebranding and expanded features. - Renamed to AI Bill Intelligence. - Now tracks usage and costs for OpenAI, Claude, Gemini, Kimi, DeepSeek, and Grok. - Real-time dashboard displays spending, token statistics, and cost trends. - Supports per-provider balances and pricing configuration. - Includes background collector service for automatic usage updates.

元数据

Slug ai-bill-clawhub

版本 2.2.5

许可证 —

累计安装 4

当前安装数 2

历史版本数 3

常见问题

Ai Bill Clawhub 是什么？

Real-time AI API usage tracking and cost monitoring for OpenClaw. Track spending across OpenAI, Claude, Gemini, Kimi, DeepSeek, and Grok with live dashboard.... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1439 次。

如何安装 Ai Bill Clawhub？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ai-bill-clawhub」即可一键安装，无需额外配置。

Ai Bill Clawhub 是免费的吗？

是的，Ai Bill Clawhub 完全免费（开源免费），可自由下载、安装和使用。

Ai Bill Clawhub 支持哪些平台？

Ai Bill Clawhub 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Ai Bill Clawhub？

由 fumarole16-afk（@fumarole16-afk）开发并维护，当前版本 v2.2.5。