v1.0.0

Token Usage Dashboard

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:31 AM.

Analysis

This appears to be a local CodexBar usage dashboard; it uses a disclosed local CLI and writes local reports, so users should review the data it reads and the CodexBar install source.

GuidanceBefore installing, make sure you trust the CodexBar Homebrew source and are comfortable letting the skill summarize local Codex/Claude usage logs. Use private output paths instead of shared temporary locations if the cost or usage data is sensitive.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/token_usage_dashboard.py

cmd = ["codexbar", "cost", "--format", "json", "--provider", provider]
output = subprocess.check_output(cmd, text=True)

The dashboard invokes the local CodexBar CLI to obtain usage/cost data. This is central to the stated purpose and does not use a shell, but it is still local tool execution.

User impactRunning the skill lets it execute CodexBar locally to read usage/cost data for the selected provider.

RecommendationUse it when you intend to inspect CodexBar usage. If you want more control, export CodexBar JSON yourself and run the scripts with --input.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install spec

brew | formula: steipete/tap/codexbar | creates binaries: codexbar

The required codexbar binary is installed from an external Homebrew tap. This is disclosed and purpose-aligned, but it requires trusting that package source.

User impactThe dashboard relies on CodexBar for the underlying local usage extraction.

RecommendationInstall only if you trust the CodexBar project and the referenced Homebrew tap.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

README.md

`/tmp/report_center/report_history.json` 會保存歷史版本與下載檔案路徑（JSON/CSV）。

The optional report scheduler persists report history and artifact paths. The workflow is documented and user-invoked rather than hidden background persistence.

User impactIf you use report scheduling, local report metadata and generated report paths will remain on disk.

RecommendationChoose a protected report output directory and periodically remove report history you no longer need.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/codexbar-cli.md

Cost usage is local-only. It reads JSONL logs under: Codex: ~/.codex/sessions/*_/_.jsonl ... Claude: ~/.config/claude/projects/**/*.jsonl or ~/.claude/projects/**/*.jsonl

The data source is local LLM usage logs, which can reveal private usage patterns even when the skill summarizes them for costs.

User impactGenerated summaries or dashboards may expose model usage, costs, dates, and related analytics to anyone who can read the output files.

RecommendationStore outputs in a private location, avoid sharing generated HTML/JSON unless intended, and delete old reports if they contain sensitive usage data.