Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ccusage Report
v1.0.3Report Claude Code token consumption and costs using ccusage. Use when the user asks about their Claude Code usage, token consumption, API costs, spending, o...
⭐ 0· 327·0 current·0 all-time
by𝑠𝑝𝑖𝑑𝑒𝑦@spideystreet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say it reports Claude Code usage via ccusage and the SKILL.md only requires the bunx binary and runs `bunx ccusage`. There are no unrelated environment variables, binaries, or config paths requested, so the requested footprint matches the stated purpose.
Instruction Scope
The instructions direct the agent to execute local shell commands (e.g., `bunx ccusage ...` and `date` invocations) which is appropriate for a CLI-based usage report. This will cause the agent to run commands on the host and read whatever files ccusage needs (the README notes Claude Code session data must be present). That behavior is coherent with the skill's purpose but users should be aware ccusage may read local session files (which could contain sensitive content or tokens). Also, the SKILL.md uses GNU `date -d` syntax which is not portable on all systems (macOS BSD date), so commands may fail on some hosts — a functional, not security, concern.
Install Mechanism
This is an instruction-only skill (no install spec). It expects bunx to be present; the README says `ccusage` will be fetched automatically via bunx at runtime. Not writing files itself is low risk, but runtime fetching/executing of a third-party package via bunx means you must trust the ccusage package and the host toolchain (bun/bunx/npm). There are no embedded download URLs or obscure installers in the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for a local CLI report tool. Note: although no env vars are requested, the executed ccusage tool may access local session data (files) that could contain API keys or other sensitive info — this is expected for a usage-reporting tool but worth awareness.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent presence or modify other skills or global agent settings. Autonomous invocation remains allowed by platform default but this is not combined with any broad credentials or always:true privilege.
Assessment
This skill appears to do what it says: it runs the ccusage CLI via bunx to summarize local Claude Code usage. Before installing/use, consider the following:
- Running the skill executes local shell commands; ccusage will read Claude Code session data on your machine — ensure you trust the ccusage package and that you are willing to let it access those files.
- bunx (or bun) may fetch and run code from package registries at runtime. If you prefer, inspect or install ccusage yourself before using the skill.
- The SKILL.md uses GNU date syntax (`date -d '7 days ago'`) that may fail on macOS; expect possible command failures on some environments.
- The skill does not request API keys or env vars, but outputs could include sensitive usage details; avoid sending raw output to untrusted external channels.
If you only need a local usage summary and trust ccusage, this skill is coherent and appropriate. If you are uncomfortable with runtime package fetching or local file access, consider running ccusage manually instead.Like a lobster shell, security has layers — review code before you run it.
latestvk97dh6ac5nsx2zt2gkj5dd1rts82bk4w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbunx