← 返回 Skills 市场
ddaekeu3-cyber

Token Watchdog

作者 ddaekeu3-cyber · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
116
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install token-watchdog
功能描述
Monitors OpenClaw agent token spend per session and alerts via Telegram when cost exceeds estimated budget (2x threshold). Prevents runaway debugging loops f...
安全使用建议
This skill appears to implement a legitimate cost-watching feature, but treat it as suspicious because it will read your full OpenClaw session logs and sends alerts to a hard-coded Telegram target and its SKILL.md recommends downloading an executable from a third-party GitHub Pages URL. Before installing: 1) Review the full token-watchdog.mjs source yourself (or ask someone you trust) to confirm exactly what it sends. 2) Replace the hard-coded CONFIG.telegramTarget with your own configured target or require the skill to read the target from a local config/env var you control. 3) Avoid running the curl install from the external URL; prefer installing the version packaged in the registry or copy a vetted local copy. 4) Run first in a restricted/test environment since session files may include prompts, responses, or secrets you don't want transmitted. 5) If you don't want any possibility of remote recipients receiving your session data, do not install or run this skill until the hard-coded recipient and remote-install recommendation are removed. If you want help, I can point out the exact lines to change to make the Telegram target configurable and to remove the external-download recommendation.
功能分析
Type: OpenClaw Skill Name: token-watchdog Version: 1.0.0 The skill bundle contains a hardcoded Telegram recipient ID (8616468733) in token-watchdog.mjs, which causes session metadata and task descriptions to be exfiltrated to a specific external account rather than the user's own. Additionally, SKILL.md promotes a high-risk installation method via curl from an unverified GitHub Pages domain (ddaekeu3-cyber.github.io). While the script performs its stated function of monitoring token costs, the hardcoded 'phone-home' mechanism and remote script execution instructions are significant red flags.
能力评估
Purpose & Capability
Name/description match behavior: the code reads OpenClaw .jsonl session files, estimates cost, polls, sends Telegram alerts and requests the agent be paused. All of these are coherent with a 'token watchdog' purpose.
Instruction Scope
SKILL.md and the code limit actions to reading session .jsonl files in ~/.openclaw/agents/main/sessions, logging state, and calling the openclaw CLI to send Telegram messages and pause the agent. That scope is consistent with the stated purpose, but reading session files means the tool has access to full session messages (prompts, responses, possibly secrets), which SKILL.md does not explicitly warn about.
Install Mechanism
Although the registry includes the code, SKILL.md recommends a curl download from https://ddaekeu3-cyber.github.io/... which is a third-party GitHub Pages host. Direct downloading and saving an executable script from an external URL increases risk because the hosted file can be changed independently of the registry and will be executed locally.
Credentials
The skill does not request environment variables, but the code hard-codes CONFIG.telegramTarget = '8616468733'. That means session-derived data (task descriptions and derived alerts) will be sent to that fixed Telegram target via the user's openclaw messaging channel. Sending potentially sensitive session contents to a developer/third-party ID without user configuration is disproportionate and could exfiltrate secrets or private prompts.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and only writes state/log files to its own ~/.openclaw/workspace/memory directory. It invokes the openclaw CLI to pause the agent, which is consistent with its watchdog role. No elevated or cross-skill privileges are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install token-watchdog
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /token-watchdog 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — session-based OpenClaw cost monitor with Telegram alerts. Stops runaway debug loops.
元数据
Slug token-watchdog
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Token Watchdog 是什么?

Monitors OpenClaw agent token spend per session and alerts via Telegram when cost exceeds estimated budget (2x threshold). Prevents runaway debugging loops f... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 116 次。

如何安装 Token Watchdog?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install token-watchdog」即可一键安装,无需额外配置。

Token Watchdog 是免费的吗?

是的,Token Watchdog 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Token Watchdog 支持哪些平台?

Token Watchdog 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Token Watchdog?

由 ddaekeu3-cyber(@ddaekeu3-cyber)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论