Model Usage
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to summarize local CodexBar cost data as advertised, with the main things to notice being its third-party CLI dependency and access to local AI usage logs.
Before installing, confirm you trust the CodexBar CLI source and are comfortable letting it read local Codex/Claude usage logs to generate model-cost summaries. The provided artifacts do not show exfiltration, destructive actions, persistence, or credential handling.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will run a local CodexBar cost command to gather usage information.
The script executes the local CodexBar CLI to retrieve cost data. This is expected for the skill's purpose, and the command is constructed as an argument list rather than a shell string.
cmd = ["codexbar", "cost", "--format", "json", "--provider", provider]
Install and use this only if you trust CodexBar and want the agent to summarize local model-cost data.
The behavior and safety of the skill depend partly on the installed CodexBar CLI package.
The skill relies on a Homebrew cask from an external tap to provide the required CodexBar binary.
"kind": "brew", "cask": "steipete/tap/codexbar", "bins": ["codexbar"]
Verify the CodexBar Homebrew tap and package source before installing or updating it.
Reports may reveal which models were used, when they were used, and how much they cost; the underlying local logs may contain more sensitive AI activity data.
The referenced data source is persistent local AI usage/session history. The included script appears to summarize cost/model fields rather than raw prompts, but the source logs are still sensitive local records.
Cost usage is local-only. It reads JSONL logs under: Codex: ~/.codex/sessions/... Claude: ~/.config/claude/projects/** or ~/.claude/projects/**
Use the skill for local cost summaries only, and avoid sharing raw CodexBar JSON or local session logs unless you have reviewed them.