← 返回 Skills 市场

Zai Usage

Name: Zai Usage
Author: 1vecera

作者 Daniel Vecera · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

395

总下载

当前安装

版本数

在 OpenClaw 中安装

/install zai-usage

功能描述

Monitor Z.AI GLM Coding Plan usage and quota limits. Track token consumption, view reset times, and check subscription status.

安全使用建议

This skill is mostly coherent for monitoring Z.AI usage, but review the following before installing: - Verify credential expectations: README and most scripts use ZAI_JWT_TOKEN (a browser session JWT), but scripts/check-usage.sh references ZAI_API_KEY and different guidance. Ask the author or update/remove the mismatched script to ensure you only provide the intended secret. - Treat the JWT as a sensitive credential: copying a token from browser localStorage can grant access to your account. Only store it in a secure file (e.g., ~/.openclaw/secrets/zai.env) with file permissions set to 600 and avoid committing it to git. - Prefer using least-privilege / short-lived credentials where possible. If Z.AI provides an API key mechanism with limited scope or expiration, use that instead of a full session JWT. - Confirm network behavior: the scripts only call https://api.z.ai/api/monitor/usage/quota/limit. If you see any other endpoints in future updates, review them carefully. - If you are uncomfortable extracting tokens from browser storage, contact Z.AI support or check whether they provide an official API key or OAuth flow for monitoring usage. Given the credential-name mismatch and the sensitive nature of the JWT extraction step, proceed only after resolving the inconsistency and ensuring secure handling of the token.

功能分析

Type: OpenClaw Skill Name: zai-usage Version: 1.1.0 The skill bundle is designed to monitor Z.AI usage and quotas. All scripts (`check-usage.sh`, `quick-check.sh`, `usage-summary.sh`) interact with the legitimate `https://api.z.ai` endpoint using a JWT token. The `SKILL.md` and `README.md` files provide clear, non-malicious instructions for setup and usage, explicitly guiding users to store the token securely in `~/.openclaw/secrets/zai.env`. While `scripts/usage-summary.sh` includes a `load_token` function that checks additional, less secure locations (`$SKILL_DIR/.env`, `~/.zai.env`) as fallbacks, this is a minor vulnerability (potential for insecure user choice) rather than malicious intent, as the documentation correctly advises the secure path, and the script does not exploit these locations or exfiltrate data. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection, or obfuscation.

能力评估

ℹ Purpose & Capability

The scripts and documentation all target Z.AI usage monitoring and call a single API endpoint (https://api.z.ai/api/monitor/usage/quota/limit), which is consistent with the skill description. However, one script (scripts/check-usage.sh) expects a variable named ZAI_API_KEY and suggests retrieving a key from /dashboard, while the README/SKILL.md and the other scripts use ZAI_JWT_TOKEN taken from browser localStorage. This mismatch is unexplained and unnecessary for the described purpose.

ℹ Instruction Scope

Runtime instructions confine activity to reading a locally-stored token and calling the Z.AI API. The SKILL.md explicitly instructs the user to copy a JWT from browser DevTools (localStorage key z-ai-open-platform-token-production) — a sensitive operation but relevant to the stated task. The scripts search multiple local locations for the token (~/.openclaw/secrets/zai.env, SKILL_DIR/.env, ~/.zai.env, environment), which increases convenience but also broadens where the secret may be stored.

✓ Install Mechanism

There is no install spec and no remote downloads. The skill is instruction-only with local shell scripts; nothing in the manifest causes arbitrary code to be fetched or executed at install time.

⚠ Credentials

The only secret the skill uses is a bearer token (JWT) for the Z.AI API, which is proportionate for a usage-monitoring tool. However, the aforementioned inconsistency between ZAI_JWT_TOKEN vs ZAI_API_KEY is suspicious: one script requires a differently-named credential and suggests a different retrieval path. Also, the skill instructs the user to extract a session JWT from browser localStorage — this token can grant account access and should be handled carefully. The skill reads secrets from multiple local paths, which is convenient but increases exposure if those files are not secured.

✓ Persistence & Privilege

The skill does not request always:true, does not modify system-wide settings, and does not require any special persistent privileges. It only reads locally stored secrets and calls the Z.AI API.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install zai-usage
安装完成后，直接呼叫该 Skill 的名称或使用 /zai-usage 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Improved documentation, better error handling, multiple token location support

v1.0.1

Initial release - usage monitoring for Z.AI GLM Coding Plan

v1.0.0

Z.AI Usage Monitor v1.0.0 - Initial release for tracking Z.AI GLM Coding Plan usage and quota. - Monitor 5-hour and monthly token consumption and view reset times. - Check web tool usage, subscription status, and receive visual status icons for current usage. - Provides scripts and setup instructions for quick usage and status checks. - Supports simple, natural language usage queries.

元数据

Slug zai-usage

版本 1.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Zai Usage 是什么？

Monitor Z.AI GLM Coding Plan usage and quota limits. Track token consumption, view reset times, and check subscription status. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 395 次。

如何安装 Zai Usage？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zai-usage」即可一键安装，无需额外配置。

Zai Usage 是免费的吗？

是的，Zai Usage 完全免费（开源免费），可自由下载、安装和使用。

Zai Usage 支持哪些平台？

Zai Usage 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Zai Usage？

由 Daniel Vecera（@1vecera）开发并维护，当前版本 v1.1.0。