Model Usage
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a purpose-aligned local CodexBar cost summarizer, with user-noticeable access to local usage logs and a third-party CLI dependency but no evidence of hidden exfiltration or destructive behavior.
This skill appears safe for its stated purpose. Before installing or using it, confirm you trust the CodexBar CLI source and are comfortable letting the agent summarize local Codex/Claude model usage and cost history.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require trusting and installing CodexBar from the referenced Homebrew tap.
The skill requires an external Homebrew cask to provide the CodexBar CLI. This is disclosed and purpose-aligned, but users should recognize the third-party dependency.
"install":[{"id":"brew-cask","kind":"brew","cask":"steipete/tap/codexbar","bins":["codexbar"],"label":"Install CodexBar (brew cask)"}]Verify the CodexBar source and Homebrew tap before installing, especially if you have not already used CodexBar.
Running the skill executes a local CLI command to read CodexBar cost data.
The bundled script runs the local CodexBar CLI. The command is fixed, does not use a shell, and directly supports the advertised cost-summary function.
cmd = ["codexbar", "cost", "--format", "json", "--provider", provider] output = subprocess.check_output(cmd, text=True)
Use it only in environments where CodexBar is expected and trusted; review the CodexBar CLI behavior if local usage data is sensitive.
The output may reveal which models you used and how much they cost over time.
The skill’s data source is local persisted Codex/Claude usage logs. The advertised output is cost/model summaries rather than transcript content, but the data source is still local usage history.
Cost usage is local-only. It reads JSONL logs under: - Codex: ~/.codex/sessions/**/*.jsonl - Claude: ~/.config/claude/projects/**/*.jsonl or ~/.claude/projects/**/*.jsonl
Run it only when you are comfortable sharing local model/cost history in the current conversation or output destination.