Claude Code Usage
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claude-code-usage Version: 1.2.0 The skill is designed to check Claude Code OAuth usage limits and provide automated monitoring. It accesses specific 'Claude Code-credentials' from the system keychain or secret-tool, which is a sensitive operation but necessary for its stated purpose. It queries the legitimate Anthropic API endpoint `api.anthropic.com/api/oauth/usage`. Automated monitoring and reminders are implemented by scheduling tasks using the `clawdbot cron add` command, which operates within the agent's controlled environment rather than directly modifying system crontabs. All actions are transparently aligned with the skill's description, and there is no evidence of data exfiltration to unauthorized endpoints, malicious execution, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this helper is run, your Claude usage/reset notification could be sent to someone else's Telegram account.
This sends reset notification content to a fixed Telegram target ID instead of a user-provided or documented recipient.
printf '%s' "$MESSAGE" | clawdbot message send --telegram --target 5259918241
Do not run monitor-and-notify.sh unless the hard-coded target is removed or replaced with your own explicit, documented configuration.
Running the checker gives the script access to your local Claude Code OAuth token, although the shown code uses it for the stated Anthropic usage endpoint.
The script reads local Claude Code OAuth credentials and uses the access token to query Anthropic's usage API.
security find-generic-password -s "Claude Code-credentials" -w ...; secret-tool lookup application "Claude Code" ...; -H "Authorization: Bearer $TOKEN"
Only run this from a trusted local copy, and verify that token handling remains limited to api.anthropic.com.
The skill may continue checking usage and sending reminders until you remove the scheduled job.
The monitoring feature intentionally creates persistent scheduled reminders that continue after initial setup.
This creates a self-scheduling chain of cron jobs ... Repeats every 5 hours automatically
Enable monitoring only if you want recurring background checks, and know how to list and remove the related Clawdbot cron jobs.
A usage check can automatically make a small Claude CLI request when credentials need refreshing.
When the stored token is expired, the script invokes the local claude CLI to trigger token refresh.
echo "2+2" | claude >/dev/null 2>&1 || true
If you do not want automatic CLI refresh behavior, refresh Claude manually or remove this fallback before running the script.