Ccusage Report

Security checks across malware telemetry and agentic risk

Overview

The skill appears coherent for usage reporting, with a timezone accuracy caveat but no evidence of hidden, destructive, or exfiltrating behavior.

Safe to install if you understand the reporting timezone limitation. Before using the output for billing, budgeting, or operational decisions, verify whether reports are generated in `Europe/Paris` and adjust or reinterpret date ranges if you are in another timezone.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The skill hard-codes `-z Europe/Paris` when generating usage reports, which can silently produce incorrect daily, weekly, or monthly boundaries for users in other regions. Because billing and token summaries are time-bound, this can misstate spend and usage for the requested period, especially around day/week/month transitions, leading to misleading financial reporting or bad operational decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal