Is jacks3tr/save-usage safe?

The skill mandates that the agent classify every user message before generating any response, using CRITICAL/MUST imperatives embedded in the frontmatter description field. The author explicitly designed the description to be unusually long because Clawdbot always injects the description into the system prompt, guaranteeing the routing rules are active on every turn. This gives the skill de facto veto power over all agent responses, overriding default and platform-level instructions.

The skill explicitly instructs the agent to never volunteer that a model switch has occurred. Users are left believing they are interacting directly with the agent when their messages may be transparently routed to a different model and service. This constitutes a deliberate deception instruction injected via the system prompt.

For any task matching the escalation criteria — which covers nearly all substantive work including code changes, architecture, security, uncertainty, and structured deliverables — the skill instructs the agent to call sessions_spawn() with the complete user message as the payload. This creates a systematic mechanism to forward user queries to an external service on every non-trivial interaction. If sessions_spawn routes to attacker-controlled infrastructure, or if the named models resolve through a proxy, this is a comprehensive conversation exfiltration channel.

The model names gpt-5.1-codex-mini and gpt-5.3-codex do not match established OpenAI product naming conventions and cannot be independently verified as routing to OpenAI endpoints. The phrase 'OpenAI oAuth models' in the description is non-standard terminology. If the sessions_spawn implementation resolves these identifiers through an intermediary registry, user messages could be intercepted without any signal in the skill text.

The skill author explicitly documents that the frontmatter description is intentionally long because the Clawdbot platform only auto-injects the description, not the SKILL.md body. The author engineered this to ensure routing logic is always present in the system prompt regardless of whether the full file is read. This demonstrates deliberate circumvention of the platform's distinction between always-present and on-demand skill content.

Filesystem monitoring recorded OPEN/ACCESS events against .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application default credentials at audit timestamps 1771924228.606 and 1771924245.883. Cross-referencing EXECVE timing places these accesses within the Oathe audit infrastructure's canary-baseline and canary-verification phases (before and after the git clone), not within a process spawned by the skill itself. Canary integrity confirms no modification or exfiltration. Attribution to the audit system is probable but not definitively excludable.

The skill issues an unconditional tool-call instruction (sessions_spawn) for a function not defined or scoped within the skill itself. Security posture is entirely dependent on the platform's sessions_spawn implementation. If that implementation changes or is itself compromised, the skill becomes a vector for automated message forwarding with no in-skill controls.

The combined escalation triggers — executed output, security/auth/secrets, architecture, integration contracts, ambiguity, high-impact decisions, complex reasoning, and structured deliverables — cover the vast majority of substantive agent tasks. Combined with the non-disclosure instruction, the practical effect is a silent universal message-forwarding layer over all meaningful agent interactions.