← 返回 Skills 市场
rusel95

Token Usage Optimizer

作者 Ruslan Popesku · GitHub ↗ · v1.0.5
darwinlinux ⚠ suspicious
865
总下载
0
收藏
2
当前安装
6
版本数
在 OpenClaw 中安装
/install token-usage-optimizer
功能描述
Maximize your Claude Code subscription value with smart usage monitoring and burn rate optimization. Track 5-hour session and 7-day weekly quotas, get one-ti...
安全使用建议
This skill appears to implement the advertised usage-monitoring functionality, but it asks you to provide your Claude access/refresh tokens and its scripts will read local credential files and may update your ~/.claude/.credentials.json automatically. Before installing or running it: - Only install from a source you trust (the registry shows unknown/unnamed origin here). Verify the repository and author. - Inspect the included scripts yourself (they're all present) and confirm you are comfortable with them reading/writing ~/.claude/.credentials.json and creating a local .tokens file. The scripts set .tokens permissions to 600, which is good, but ensure the file is stored in a safe location. - Consider running the tool in an isolated environment (container or dedicated user account) if you do not want it touching your main ~/.claude credentials. - If you proceed, keep tokens short-lived and rotate them after testing; avoid pasting long-lived credentials unless necessary. - If you want lower privilege: modify the scripts to disable the code that writes to ~/.claude/.credentials.json and require explicit user action to sync tokens. I rated this as suspicious (not malicious) because the behavior can be explained by legitimate integration needs, but the automatic modification of another app's credential file and the token-extraction guidance materially increase risk and deserve explicit user consent and review.
功能分析
Type: OpenClaw Skill Name: token-usage-optimizer Version: 1.0.5 The skill bundle contains a critical shell injection vulnerability. The `scripts/setup.sh` script takes user input for `ACCESS_TOKEN` and `REFRESH_TOKEN` and writes it directly into the `.tokens` file. Other scripts (`scripts/check-usage.sh`, `scripts/auto-refresh-cron.sh`, `scripts/refresh-token.sh`) then use `source "$TOKEN_FILE"` to load these variables. An attacker could provide a crafted token (e.g., `"; evil_command #"`) during setup, leading to arbitrary code execution (RCE) when any of the sourcing scripts are run. Additionally, `scripts/check-usage.sh` uses `sed` to update the token file, which could also be vulnerable to injection if the token value is maliciously crafted. While the stated purpose is benign, these vulnerabilities allow for malicious exploitation.
能力评估
Purpose & Capability
Name/description align with the code and instructions: it polls Anthropic's usage endpoint, computes burn rate, caches results, and reports. Required binaries (curl, date, grep) match the shell-script implementation and are proportional to the stated goal.
Instruction Scope
SKILL.md and scripts instruct the agent/user to locate and extract OAuth tokens from local Claude CLI files or browser DevTools. Scripts read local token files and config (~/.claude/.credentials.json, various auth.json locations) and will attempt to sync/update that credentials JSON silently — a scope expansion beyond simply reading an API to measure usage. The token-extraction guidance (searching LocalStorage/secret-tool) is sensitive and could expose credentials if followed carelessly.
Install Mechanism
No remote install or download is performed; the skill is instruction- and script-based with no installer. That keeps install risk low because nothing is fetched and executed from an untrusted URL.
Credentials
The skill declares no environment variables or external credentials but legitimately requires the user's Claude access and refresh tokens. Asking for those tokens is necessary for the stated purpose, but the skill also reads/writes other local credential files (claude CLI credentials) which increases the sensitivity of the requested secrets.
Persistence & Privilege
Scripts write to/modify an external application's credentials file (~/.claude/.credentials.json) to 'sync' tokens and also create state/cache files under /tmp and a .tokens file inside the skill directory. Modifying another tool's credential file is higher privilege than simply storing its own state and should be highlighted to users.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install token-usage-optimizer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /token-usage-optimizer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
Version 1.0.5 - Fixed token extraction bug in auto-refresh-cron.sh (removed unnecessary quotes handling). - Changed token health check from every 1 hour to every 30 minutes for increased reliability. - Improved OAuth token sync process to be more robust, referencing ~/.claude/.credentials.json. - Updated documentation to reflect changes and add a changelog section.
v1.0.4
Replace broken auto-refresh with reliable health check. OAuth tokens last ~1 week, manual refresh via 'claude auth login' takes 30 seconds. Hourly health check alerts only when action needed. No more spam!
v1.0.3
Fix auto-refresh interval: OAuth access tokens expire ~1h (not 9h). Changed recommended cron from every 5h to every 1h to prevent token expiration errors.
v1.0.2
Fixed auto-refresh on Linux: now uses Claude CLI for reliable OAuth token refresh. No more manual updates needed!
v1.0.1
Add auto-refresh: OAuth token refresh every 5 hours via cron to prevent expiration (tokens expire ~9 hours). Includes auto-refresh-cron.sh script and updated documentation.
v1.0.0
Initial release: Smart usage monitoring for Claude Code subscriptions with burn rate optimization
元数据
Slug token-usage-optimizer
版本 1.0.5
许可证
累计安装 2
当前安装数 2
历史版本数 6
常见问题

Token Usage Optimizer 是什么?

Maximize your Claude Code subscription value with smart usage monitoring and burn rate optimization. Track 5-hour session and 7-day weekly quotas, get one-ti... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 865 次。

如何安装 Token Usage Optimizer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install token-usage-optimizer」即可一键安装,无需额外配置。

Token Usage Optimizer 是免费的吗?

是的,Token Usage Optimizer 完全免费(开源免费),可自由下载、安装和使用。

Token Usage Optimizer 支持哪些平台?

Token Usage Optimizer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。

谁开发了 Token Usage Optimizer?

由 Ruslan Popesku(@rusel95)开发并维护,当前版本 v1.0.5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论