Is aligurelli/claude-usage-checker safe?

https://github.com/openclaw/skills/tree/main/skills/aligurelli/claude-usage-checker

86
SAFE

The claude-usage-checker skill is a narrow-purpose utility that launches the user's local Claude CLI via PTY and reads the /usage command output to report quota and reset information. The skill package is clean — two metadata files, no executable code, no exfiltration instructions, and all canary honeypots remained intact. The primary concern is the PTY/send-keys mechanism, which is a general-purpose text-injection interface that could be abused in a future malicious revision; the current implementation's commands are tightly scoped and benign.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM PTY send-keys mechanism creates general-purpose command injection surface -18

The skill instructs the agent to launch claude via PTY and send keystrokes programmatically using process action=send-keys. While the specified literals (/usage, /exit) are harmless, this is a fully general text-injection interface into any PTY process. A future malicious version of this skill could substitute any Claude CLI command or shell input. The current implementation is clean, but the pattern establishes a privileged capability that warrants user awareness.

LOW Agent reads back PTY session output into context without sanitization guidance -10

The skill instructs the agent to poll the Claude CLI session and read its output until usage data appears, then report it. If the CLI output contained unexpected or adversarial text (e.g. from a compromised CLI binary), that content would flow back into the agent's context without any filtering instruction. Risk is low because the user owns the CLI session, but the skill provides no output sanitization guidance.

LOW Published under personal account with separate homepage repo -10

The skill is attributed to personal account aligurelli and its homepage points to github.com/aligurelli/clawd, a distinct personal repository separate from the openclaw/skills monorepo. This split provenance makes it harder to verify the skill's lineage and audit history compared to organization-verified skills. No malicious behavior was observed, but the provenance gap reduces trust assurance.

LOW Usage quota data exposed to agent context before user display -10

The skill collects Claude plan quota figures (session %, weekly %, extra usage costs, reset times) from the CLI and formats them for user display. This data passes through the agent's context. While quota data is not secret, it does reveal subscription tier and spending patterns. No external transmission is instructed.

INFO No executable artifacts in skill package 0

The installed skill contains exactly two files: SKILL.md and _meta.json. Filesystem diff confirms no scripts, binaries, compiled code, git hooks, or additional files were introduced. The skill relies entirely on the agent executing declared CLI commands rather than shipping its own code.