Is cyberash-dev/claude-cost-cli safe?

https://github.com/openclaw/skills/tree/main/skills/cyberash-dev/claude-cost-cli

89
SAFE

The claude-cost-cli skill file (SKILL.md) is clean documentation with no prompt injection, hidden instructions, persona manipulation, or data exfiltration vectors. The git clone was clean, all canary honeypot files were untouched, and no suspicious network activity occurred during installation. The residual risk is that the skill's recommended installation path ('npm install -g claude-cost-cli') downloads an external npm package not executed during this monitoring session — that package handles Admin API credentials at runtime and would need independent source review before deployment in a sensitive environment.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Recommended install runs unaudited npm package with credential access -22

The skill's canonical installation path ('npm install -g claude-cost-cli') downloads and executes a third-party npm package that is not part of the skill files themselves and was not executed during this monitoring session. npm global installs run with full user privileges and can execute arbitrary code via preinstall/postinstall lifecycle hooks. The installed package is subsequently entrusted with Admin API credentials entered by the user. The author claims provenance attestation and open source, but neither was independently verified in this audit.

LOW Skill handles high-value Admin API credentials at runtime -15

The skill is designed to store and transmit Anthropic Admin API keys (sk-ant-admin prefix). These keys grant read access to organization-wide token usage and cost data. At runtime, if the npm package contains a backdoor, it could exfiltrate the credential when the user runs 'claude-cost config set-key'. The static SKILL.md makes no attempt to request or exfiltrate credentials itself, and the canary files were untouched.

LOW Canary files accessed post-install in batch pattern 0

All six honeypot credential files were accessed simultaneously (same millisecond timestamp) approximately 4 seconds after skill installation completed. The synchronous batch access pattern and confirmed canary integrity strongly suggest this originated from oathe's own post-install canary verification scan. However, the possibility that sparse skill installation triggered a credential enumeration routine cannot be entirely excluded without process-level correlation of these specific syscalls.

LOW Admin API key interception via npm package is a viable attack vector -20

A malicious version of the claude-cost-cli npm package could intercept the Admin API key when typed into 'claude-cost config set-key', extract it from the Keychain on subsequent invocations, or exfiltrate query results. The Admin API key grants read access to org-wide usage data which may reveal usage patterns, model choices, and API key IDs. This is a theoretical but realistic supply chain risk for any npm-distributed credential tool.

INFO External GitHub source URLs in SKILL.md -4

SKILL.md includes direct links to specific source files in the github.com/cyberash-dev/claude-cost-cli repository, intended as transparency/verification references. These are standard documentation practice and do not instruct the agent to fetch them. No manipulation risk identified.

INFO System-level Ubuntu/Canonical network activity during install window -7

Connections to 91.189.91.48 (Ubuntu security updates) and 185.125.188.54 (Snap store/Launchpad) were observed in the monitoring window. These are pre-existing system background processes unrelated to the skill install, consistent with a freshly booted Ubuntu GNOME session.