ClawHub

Poe Usage

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Poe usage-monitoring wrapper, but it relies on a Poe API key and a third-party Homebrew-installed CLI that users should trust before installing.

This looks safe for its stated purpose if you trust the poeusage CLI and Homebrew tap. Before installing, verify the external package source, protect your POE_API_KEY, and use filters or limits when asking for usage history.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Installing and using the skill gives the poeusage CLI access to your Poe account usage and balance through your API key.

Why it was flagged

The skill requires a Poe API key and passes it to the CLI for account balance and usage queries. This is expected for the purpose, but it is still credential-based account access.

Skill content
requires:
      env:
        - POE_API_KEY
...
- `--api-key` string (default from `$POE_API_KEY`)
Recommendation

Use an appropriately scoped key if Poe supports it, keep the key in environment variables rather than command history, and avoid storing it in persistent config unless necessary.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

You would be installing and running a third-party CLI that is outside the skill artifact itself.

Why it was flagged

The install path depends on an external Homebrew tap and formula for the poeusage CLI. This is consistent with the skill's CLI-wrapper purpose, but users must trust that external package source.

Skill content
brew tap rgstephens/tap
brew install poeusage
Recommendation

Review the referenced Homebrew tap or project repository, check release provenance where possible, and install only if you trust the maintainer.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A history request may pull more account usage metadata than you intended if no limit or date filter is used.

Why it was flagged

The history command can retrieve all available Poe usage records by default. This is disclosed and purpose-aligned, but broader than a single-balance check.

Skill content
Fetch usage history. Auto-paginates by default until all records are retrieved (or until `--limit`).
Recommendation

Use `--limit`, `--since`, `--until`, or `--no-paginate` when you only need a bounded subset of usage history.