AgentMeter

Security checks across malware telemetry and agentic risk

Overview

AgentMeter is a disclosed spend-tracking skill that installs a local Claude Code Stop hook and optionally syncs usage summaries to its dashboard.

Install only if you are comfortable with /meter making local project changes, scanning historical Claude Code transcript metadata, and keeping a persistent Stop hook until you remove it. Use dashboard sync only if you trust AgentMeter and the configured endpoint, because it uploads usage summaries and stores an API key locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script's documented behavior is to sync local spend/session data to a hosted backend, while the skill description emphasizes local spend summary functionality. That mismatch creates a data-governance and user-consent risk because project names, model usage, timestamps, and intent metadata are transmitted off-device without being clearly justified by the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup flow collects an API credential and configures remote telemetry upload even though the advertised skill purpose is spend tracking/reporting. This expands the trust boundary and can expose sensitive operational metadata to a third party without sufficient justification or user expectation.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The `/meter` entrypoint is presented as a spend summary command, but it also performs persistent installation behavior by copying a hook into `.claude/hooks/` and modifying `.claude/settings.json`. This violates least surprise and can change future agent behavior without explicit user approval, creating a trust and integrity risk even if the hook itself is not overtly malicious.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script automatically modifies local hooks and settings configuration, which gives the skill persistent execution on future session stops. For a command described as a summary tool, this extra capability is not clearly justified and expands the security boundary by introducing auto-run behavior into the user's workspace.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The `/meter` flow is presented as a single convenient command, but the setup section states it will automatically copy a Stop hook and create or update `.claude/settings.json`. Failing to warn users at invocation time about persistent configuration changes reduces informed consent and increases the chance that a user authorizes filesystem modifications they did not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The dashboard sync feature directs users to configure and run a sync script without a clear warning that session/spend metadata will be transmitted to a hosted third-party service. Because the skill collects data derived from Claude session transcripts, this omission can lead to unintended disclosure of operational metadata and project-related information to an external backend.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The API key is entered with terminal echo enabled, so it can be shoulder-surfed, captured in terminal recording/logging tools, or exposed in shared shell sessions. The script also does not warn the user that the key will be persisted locally in a config file.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Installing and wiring a session-end hook without prior confirmation is dangerous because it silently grants the skill persistence and automatic future execution. Even if the current hook is intended for metering, silent persistence is a common mechanism for abuse and reduces the user's ability to make an informed trust decision.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The script backfills spend data by scanning Claude transcript files under `$HOME/.claude/projects` and extracting usage metadata without an up-front disclosure at invocation time. While this appears aligned with the metering purpose, it still accesses historical local data that users may not expect a summary command to read automatically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal