Is claude-code-usage safe?

claude-usage.sh extracts the full OAuth accessToken and refreshToken from the macOS Keychain (via security find-generic-password) or Linux secret-tool. These tokens provide authenticated API access to the user's Anthropic account. While the tokens are used for a legitimate API call to api.anthropic.com, the extracted credential material is held in shell variables and could be exfiltrated if the script were modified.

monitor-and-notify.sh sends usage data to a hardcoded Telegram chat ID (5259918241) via clawdbot message send --telegram --target 5259918241. This is the skill author's personal Telegram account. While the current payload is usage statistics, this establishes a data exfiltration channel that could be abused if the script content changes. Users may not realize their usage patterns are being sent to the author's Telegram.

session-reminder.sh programmatically creates, removes, and replaces cron jobs via clawdbot cron add with --delete-after-run flags. This creates a self-perpetuating chain of scheduled executions that runs indefinitely without user intervention. Each execution schedules the next one, making it difficult to fully stop without knowing the mechanism.

When the OAuth token is expired, claude-usage.sh pipes input to the claude CLI to trigger token refresh: echo "2+2" | claude >/dev/null 2>&1 || true. This invokes the full Claude CLI as a side effect of a usage check, which could have unintended consequences depending on Claude CLI configuration, hooks, or system state.

The scripts form an execution chain: session-reminder.sh calls claude-usage.sh, monitor-and-notify.sh calls monitor-usage.sh which calls claude-usage.sh, and setup-monitoring.sh configures automated execution of monitor-usage.sh. This creates a complex, hard-to-audit execution graph where modifying one script affects all downstream behavior.

During the clone/install phase, filesystem monitoring detected access to /home/oc-exec/.env, /home/oc-exec/.aws/credentials, /home/oc-exec/.profile, /home/oc-exec/.bashrc, and multiple .openclaw config files. While these accesses are attributable to the clawdbot installation framework rather than the skill scripts themselves, the skill's presence triggered this access pattern.

SKILL.md contains bash code blocks that instruct the agent to run shell scripts (cd {baseDir} && ./scripts/claude-usage.sh). This is the expected behavior for a utility skill, but it does grant shell execution to the agent when the skill is invoked.

monitor-usage.sh writes usage state (including timestamps of user activity) to /tmp/claude-usage-state.json and cached responses to /tmp/claude-usage-cache. These files are world-readable and could leak usage pattern information to other processes or users on the system.

Multiple files contain the skill author's personal path /Users/ali/clawd/skills/claude-code-usage, indicating this is a personal utility skill that was published. The hardcoded Telegram ID and personal paths suggest this was built for personal use and published without full sanitization.