← 返回 Skills 市场
oldyoungcn

OpenClaw Token Monitor

作者 OldYoung · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
117
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install openclaw-token-monitor
功能描述
OpenClaw Token 实时监控面板。支持:(1) SQLite 持久化存储历史数据 (2) 实时监控当前 Token 消耗(增量曲线) (3) 历史视图查看任意一天的消耗 (4) 按日/时会话汇总 (5) 人民币费用估算(MiniMax 官方定价) (6) 滚轮缩放 X 轴 (7) 图表采样防卡顿。触发场...
安全使用建议
This skill appears to implement a local token-usage dashboard by calling the 'openclaw' CLI and saving snapshots to a local SQLite file. Before installing, consider: (1) The Node script requires '/tmp/node_modules/sql.js' via absolute path — ask the author why and ensure the runtime provides sql.js or modify the require to use a normal dependency. (2) The monitor persists session_key and per-session details in workspace/data/token_history.db — these can contain sensitive tokens/IDs; inspect that file and rotate any secrets if exposed. (3) The server listens on port 3000 and SKILL.md references a LAN IP; run it bound to localhost (or behind an authenticated proxy) and/or firewall the port if you don't want LAN access. (4) Verify the 'openclaw' CLI is legitimate and does not itself leak credentials. (5) Because part of the source was truncated in the package listing, review the full token-monitor.js for any outbound network calls or hidden endpoints before running. If you cannot audit or fix the absolute sql.js path and restrict the server, run the tool inside an isolated container/VM and limit filesystem/network exposure.
功能分析
Type: OpenClaw Skill Name: openclaw-token-monitor Version: 1.2.0 The skill provides a token monitoring dashboard that utilizes high-risk capabilities such as shell command execution (via `execFile` calling `openclaw`), network service hosting (`http.createServer` on `0.0.0.0:3000`), and file system persistence for a SQLite database. While these features are aligned with the stated purpose, the code contains several critical vulnerabilities: the `/api/daily` endpoint is susceptible to SQL injection through the `date` parameter, and the frontend dashboard is vulnerable to XSS as it renders session data without proper sanitization. Additionally, the script relies on an unusual dependency path (`/tmp/node_modules/sql.js`) and hardcodes a specific local IP address (`192.168.50.210`) in its documentation, which may indicate a poorly secured or environment-specific implementation.
能力标签
crypto
能力评估
Purpose & Capability
The name/description match the observed behavior: the server polls the OpenClaw CLI (openclaw sessions --active --json), computes rates/costs and persists snapshots to a local SQLite DB. Calling the OpenClaw CLI and writing a DB are expected for a token monitor. One oddity: the code requires sql.js using an absolute path (/tmp/node_modules/sql.js) rather than a normal package import; that's inconsistent with package.json (no dependencies declared) and the SKILL.md's claim of 'sql.js (WASM) no local compile needed'.
Instruction Scope
SKILL.md instructs running the included Node script which starts an HTTP server (port 3000) and polls the OpenClaw CLI every 3s. The server writes session_key and per-session details into a DB file under workspace/data/token_history.db. Persisting session_key and other session metadata is relevant to monitoring, but it is sensitive: if the server binds to non-local interfaces (the docs even show a LAN IP) or is left unprotected, those keys and usage data can be exposed. The instructions do not require or recommend restricting the listener to localhost or adding authentication.
Install Mechanism
No install spec (instruction-only plus included code), which is lower risk than downloading arbitrary code. However, the code requires initSqlJs from an absolute path (/tmp/node_modules/sql.js) rather than a module installed relative to the package — this is unusual and may indicate the script expects a preinstalled runtime artifact in /tmp, or will fail. There is no evidence of remote downloads in the provided files.
Credentials
The skill requests no env vars, which is reasonable. But it relies on executing the 'openclaw' CLI and then stores session_key values (and other session fields) to disk. Storing raw session keys/tokens is directly related to its purpose but is sensitive: without access controls the DB is a credential/secret store. The number of required credentials is zero and proportional, but the handling and storage of session keys requires caution.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It persists its own DB under workspace/data/token_history.db which is normal for this utility. It starts an HTTP server that may run indefinitely while active; that's appropriate for a monitoring dashboard but increases exposure if not bound/restricted.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-token-monitor
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-token-monitor 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Version 1.2.0 introduces new updates and improvements: - Bumped version from 1.1.1 to 1.2.0. - Updated SKILL.md metadata to reflect new version. - Made changes to server and frontend scripts (token-monitor.js, token-monitor.html). - Updated package.json for versioning and possible dependency adjustments.
v1.1.1
v1.1.1: fix IIFE scope bug, date-display stuck, cost ¥153m→¥0.15
v1.1.0
Version 1.1.0 - Bumped version to 1.1.0 in SKILL.md and package.json. - No functional changes documented in SKILL.md.
v1.0.0
OpenClaw Token Monitor v1.0.0 — 实时 Token 消耗与历史数据分析中心 - 新增 SQLite 持久化存储,消耗历史数据不丢失 - 实时监控 Token 消耗与速率,每 3 秒自动更新 - 支持按日、按小时查看历史消耗趋势和会话详情 - 基于 MiniMax 定价,自动估算人民币消耗 - 可通过滚轮缩放图表 X 轴、防卡顿采样展示 - 环形图显示会话占比,支持一键导出 PNG 图表
元数据
Slug openclaw-token-monitor
版本 1.2.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

OpenClaw Token Monitor 是什么?

OpenClaw Token 实时监控面板。支持:(1) SQLite 持久化存储历史数据 (2) 实时监控当前 Token 消耗(增量曲线) (3) 历史视图查看任意一天的消耗 (4) 按日/时会话汇总 (5) 人民币费用估算(MiniMax 官方定价) (6) 滚轮缩放 X 轴 (7) 图表采样防卡顿。触发场... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 117 次。

如何安装 OpenClaw Token Monitor?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-token-monitor」即可一键安装,无需额外配置。

OpenClaw Token Monitor 是免费的吗?

是的,OpenClaw Token Monitor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

OpenClaw Token Monitor 支持哪些平台?

OpenClaw Token Monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 OpenClaw Token Monitor?

由 OldYoung(@oldyoungcn)开发并维护,当前版本 v1.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论