← 返回 Skills 市场
128
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install token-config-checker
功能描述
批量检测 token / auth JSON 配置文件有效性,并可对 access token 做在线轻量探测,自动输出脱敏报告。适用于排查 Codex/OpenAI/OpenAI 兼容客户端导出的登录配置、会话凭据文件、token 缓存文件。支持把配置分为 valid / no_quota / invalid...
安全使用建议
This tool largely does what it says (checks token JSONs and can probe tokens), but exercise caution before using the --probe option: the enhanced script will embed your access_token and account_id inside a JSON payload and POST it to the probe URL you supply (or to a panel-style endpoint), which means tokens can be transmitted off your machine. Notable red flags in the code: a hardcoded header Authorization: 'Bearer ab87036181' and a CODEX usage URL pointing to chatgpt.com — neither is explained in the README. Recommendations:
- If you only need structural checks, run the scripts without --probe (offline checks).
- If you must probe, only point --probe-url to services you fully control (local network or endpoints you administer).
- Review the code lines mentioned (build_codex_panel_payload and online_probe_codex_panel) so you understand exactly what is sent to probe-url.
- Consider running the script in an isolated environment (air-gapped VM or container) and monitor outbound network traffic before trusting it with sensitive token files.
- If unsure, ask the provider/author to explain the hardcoded Authorization value and why codex panel payloads are sent in that form; absence of a clear justification is a risk indicator.
功能分析
Type: OpenClaw Skill
Name: token-config-checker
Version: 1.1.4
The skill bundle contains scripts (check_token_configs.py and check_token_configs_plus.py) designed to recursively scan the filesystem for sensitive JSON files containing authentication tokens, session credentials, and 'Codex' configurations. While the stated purpose is validation, the scripts are designed to transmit these highly sensitive credentials to external endpoints, including support for third-party 'management panels' using hardcoded identifiers (e.g., authIndex 'dd2b5cfe06a6586b' and a static Bearer token 'ab87036181'). The inherent risk of automated credential discovery combined with the capability to send them to arbitrary or third-party URLs (via the --probe-url argument) presents a significant risk of credential exposure.
能力评估
Purpose & Capability
The name, README, SKILL.md and scripts align: they validate token JSONs, decode JWTs, check expirations, and optionally perform online probes. Those capabilities justify reading token-containing files and making HTTP requests to probe endpoints. However, the enhanced script contains CODEX-specific logic (CODEX_USAGE_URL -> 'https://chatgpt.com/backend-api/wham/usage', CODEX_UA user agent) and an unexplained hardcoded HTTP header 'Authorization': 'Bearer ab87036181' — these items are not documented in SKILL.md and lack justification in the README, which is unexpected.
Instruction Scope
SKILL.md warns that files are sensitive and recommends using --probe-url for private relays, but it does not clearly state that using --probe will send the file's access_token/account_id inside a JSON payload to the probe URL (the enhanced script builds a payload containing the token and account_id and POSTs it to the probe endpoint). That means probing can transmit full tokens to remote servers. The instructions understate this transmission and do not warn users that probe-url must be fully trusted; this is scope creep compared to a simple direct test against the service.
Install Mechanism
No install spec; it's instruction + scripts only. There is no package download or archive extraction. This minimizes installation risk.
Credentials
The skill requests no environment variables or system config, which is proportionate for a file-scanning/probing tool. However the scripts act on arbitrary filesystem paths you point them at and may send token values to remote endpoints when --probe is used. The combination of scanning sensitive files and network probes (especially the codex panel flow that embeds tokens in payloads) is sensitive and requires the user to trust the probe endpoint.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skill configs. It runs as invoked and does not escalate agent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install token-config-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/token-config-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.4
Make code defaults public-safe by using OpenAI official probe URL by default and remove private endpoint references from docs and code.
v1.1.3
Switch public docs examples back to OpenAI official probe URL; keep custom probe-url support for Codex/private relays.
v1.1.2
Add bilingual Chinese/English README and SKILL documentation.
v1.1.1
Polish public README and add PowerShell example for Windows users.
v1.1.0
Switch validation to Codex panel-compatible online probe, add valid/no-quota/invalid classification, and support saving each class into separate directories with index output.
v1.0.0
Initial release: batch token/auth JSON validity checker with offline checks, optional online probing, redacted reporting, and failure classification.
元数据
常见问题
Token Config Checker 是什么?
批量检测 token / auth JSON 配置文件有效性,并可对 access token 做在线轻量探测,自动输出脱敏报告。适用于排查 Codex/OpenAI/OpenAI 兼容客户端导出的登录配置、会话凭据文件、token 缓存文件。支持把配置分为 valid / no_quota / invalid... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 128 次。
如何安装 Token Config Checker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install token-config-checker」即可一键安装,无需额外配置。
Token Config Checker 是免费的吗?
是的,Token Config Checker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Token Config Checker 支持哪些平台?
Token Config Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Token Config Checker?
由 joe12801(@joe12801)开发并维护,当前版本 v1.1.4。
推荐 Skills