Back to skill

Security audit

Claude Code Usage

Security checks across malware telemetry and agentic risk

Overview

The main usage checker is disclosed and purpose-aligned, but an included notification script can send usage-reset messages to a fixed Telegram account that the user cannot configure.

Install only if you are comfortable with a local script reading your Claude Code OAuth credential to call Anthropic's usage API. Do not run or schedule monitor-and-notify.sh unless you first replace or remove the hard-coded Telegram target, and review any Clawdbot cron jobs created by the reminder or monitoring scripts so you can stop recurring checks and notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable shell-based behavior but does not declare permissions, which weakens user and platform visibility into what the skill can do. In a skill that also accesses credentials and sets up automation, hidden execution capability increases the chance of unintended or opaque actions being run.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is checking usage limits, but the described behavior extends to credential retrieval, token refresh triggering, cron management, and Telegram delivery. This mismatch is dangerous because users may invoke a seemingly read-only status skill without realizing it can access secrets, persist scheduled jobs, and transmit data externally.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation instructs users to configure recurring command execution through Clawdbot or system cron and to deliver results to Telegram, which extends the skill from an on-demand quota checker into a persistent monitoring and notification mechanism. That creates a broader attack surface because any compromise or modification of the referenced script would be executed automatically and repeatedly with the user's privileges.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script goes beyond passive usage inspection by retrieving OAuth credentials from local secret stores and attempting to refresh them automatically. In an agent-skill context, that expands privilege and side effects unnecessarily, increasing the risk of credential misuse or unexpected account actions if the skill is invoked without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Invoking the Claude CLI with a synthetic prompt to force token refresh introduces an unnecessary execution path for a tool whose stated purpose is only to check usage limits. This can trigger unintended side effects, hide active account interaction behind a read-only facade, and make the skill more dangerous than users expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script’s stated purpose is monitoring Claude Code usage, but it also exfiltrates status data to an external Telegram recipient hardcoded as a numeric target. This creates an undocumented outbound communication path that can leak usage patterns or account-related activity and is more dangerous because the skill description does not clearly disclose this behavior to the user.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script invokes an external CLI to send Telegram messages to a fixed external target, which is an outbound capability unrelated to simple local quota checking. Any monitored output containing sensitive or identifying details could be transmitted off-system, and the hardcoded recipient increases the risk of unauthorized disclosure or covert data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script does more than passively check usage: it enumerates, deletes, and creates external clawdbot cron jobs, introducing persistent side effects outside the stated usage-checking purpose. In a skill intended to report Claude Code quota status, automatically modifying external scheduler state expands privilege and can be abused to create unsolicited recurring actions or interfere with other reminders if the matching logic is too broad.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script schedules a clawdbot cron job that delivers messages via Telegram, which is an external communication channel not necessary for merely checking local usage limits. This creates a data-flow and notification side effect beyond the advertised purpose, and in the skill context it is more dangerous because users asking about quota status would not reasonably expect the tool to configure external messaging infrastructure on their behalf.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instructions tell users to place a Telegram chat identifier into configuration and state that it is usually their phone number, but they do not warn that this may be sensitive personal data. Exposing or mishandling that identifier can leak personal information and tie notifications or activity to a specific user account.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README states that the skill 'automatically triggers' for broad natural-language requests about usage and quota status, but it does not define clear activation boundaries or safeguards. In an agent environment, overly broad triggers can cause unintended invocation, exposing account-usage data or causing unnecessary API calls in contexts where the user did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes self-scheduling reminders and automated polling that 'runs forever with zero maintenance' without prominently warning about persistent execution, recurring network activity, or potential notification spam. In a user agent or bot environment, this can lead to long-lived background behavior, resource consumption, and surprise monitoring that users may not fully understand or consent to.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description is broad enough that the skill may be invoked for general Claude usage questions, causing unnecessary execution of shell-based logic or credential-touching workflows. Over-broad invocation increases exposure by running a higher-privilege skill in contexts where a simple textual answer would have sufficed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The monitoring setup sends notifications through Telegram without a prominent privacy warning or clear consent boundary. Even if only usage metadata is sent, external transmission of account activity timing and utilization can leak behavioral patterns and surprise users who expected all processing to remain local.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script executes a credential-refresh action without warning the user that it is running another program and causing an authenticated account interaction. In a skill ecosystem, undisclosed execution is risky because users may believe they are performing a harmless status check when the script is actually modifying session state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Telegram transmission occurs silently with no user-facing warning, consent flow, or runtime disclosure. In the context of a skill advertised for checking usage limits, undisclosed external notification behavior is especially risky because users may reasonably expect only local inspection, not transmission of account activity to a third party.

Credential Access

High
Category
Privilege Escalation
Content
## Requirements

- **macOS**: Uses Keychain to access Claude Code credentials
- **Linux**: Uses `secret-tool` for credential storage
- **Credentials**: Must have Claude Code CLI authenticated
Confidence
95% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
## How It Works

1. Retrieves OAuth token from system keychain
2. Queries `api.anthropic.com/api/oauth/usage` with OAuth bearer token
3. Parses `five_hour` and `seven_day` utilization metrics
4. Calculates time remaining until reset
Confidence
96% confidence
Finding
keychain

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.