Back to skill
Skillv1.0.3
ClawScan security
Ccusage Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 2:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose (running the ccusage CLI via bunx to report Claude Code usage); it runs local commands but does not request unrelated credentials or persistent privileges.
- Guidance
- This skill appears to do what it says: it runs the ccusage CLI via bunx to summarize local Claude Code usage. Before installing/use, consider the following: - Running the skill executes local shell commands; ccusage will read Claude Code session data on your machine — ensure you trust the ccusage package and that you are willing to let it access those files. - bunx (or bun) may fetch and run code from package registries at runtime. If you prefer, inspect or install ccusage yourself before using the skill. - The SKILL.md uses GNU date syntax (`date -d '7 days ago'`) that may fail on macOS; expect possible command failures on some environments. - The skill does not request API keys or env vars, but outputs could include sensitive usage details; avoid sending raw output to untrusted external channels. If you only need a local usage summary and trust ccusage, this skill is coherent and appropriate. If you are uncomfortable with runtime package fetching or local file access, consider running ccusage manually instead.
Review Dimensions
- Purpose & Capability
- okThe name/description say it reports Claude Code usage via ccusage and the SKILL.md only requires the bunx binary and runs `bunx ccusage`. There are no unrelated environment variables, binaries, or config paths requested, so the requested footprint matches the stated purpose.
- Instruction Scope
- noteThe instructions direct the agent to execute local shell commands (e.g., `bunx ccusage ...` and `date` invocations) which is appropriate for a CLI-based usage report. This will cause the agent to run commands on the host and read whatever files ccusage needs (the README notes Claude Code session data must be present). That behavior is coherent with the skill's purpose but users should be aware ccusage may read local session files (which could contain sensitive content or tokens). Also, the SKILL.md uses GNU `date -d` syntax which is not portable on all systems (macOS BSD date), so commands may fail on some hosts — a functional, not security, concern.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). It expects bunx to be present; the README says `ccusage` will be fetched automatically via bunx at runtime. Not writing files itself is low risk, but runtime fetching/executing of a third-party package via bunx means you must trust the ccusage package and the host toolchain (bun/bunx/npm). There are no embedded download URLs or obscure installers in the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials, which is appropriate for a local CLI report tool. Note: although no env vars are requested, the executed ccusage tool may access local session data (files) that could contain API keys or other sensitive info — this is expected for a usage-reporting tool but worth awareness.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable; it does not request persistent presence or modify other skills or global agent settings. Autonomous invocation remains allowed by platform default but this is not combined with any broad credentials or always:true privilege.