Is model-usage safe?

https://clawhub.ai/steipete/model-usage

85
SAFE

This skill is a straightforward CodexBar cost-summarization utility with minimal security risk. It includes a well-structured Python script that invokes the codexbar CLI with constrained arguments and outputs usage data to stdout. No prompt injection, network activity, canary access, or malicious behavior was detected. The only notable concerns are the subprocess call to an external CLI (with proper argument constraints) and the ability to read arbitrary file paths via --input (mitigated by JSON parsing requirements).

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

LOW Python script executes external CLI via subprocess -10

model_usage.py uses subprocess.check_output to invoke 'codexbar cost --format json --provider '. The provider argument is constrained to 'codex' or 'claude' by argparse, preventing command injection. This is a standard pattern for CLI wrapper scripts.

LOW Skill requires installation of third-party brew cask -18

The metadata declares a dependency on 'steipete/tap/codexbar' brew cask. While this is a legitimate distribution mechanism, installing third-party taps introduces code from the tap maintainer. The tap is under the same author (steipete) as the skill.

LOW Script can read arbitrary local files via --input flag -8

The --input argument accepts any file path and reads its contents. While the JSON parser would reject non-JSON files, this could expose JSON-formatted sensitive data if an agent is tricked into passing a sensitive path. The risk is mitigated by the fact that the agent controls the arguments, not the skill.

INFO Script reads local LLM usage cost logs -5

By design, the script accesses CodexBar's local cost logs containing token usage and cost data. This is the stated purpose of the skill and the data is not transmitted externally.

INFO Usage data exposure via stdout -5

Cost and model usage data is printed to stdout, where it becomes visible in the agent conversation. In a multi-skill environment, another skill could theoretically capture this data. This is inherent to any data-reporting skill.

INFO SSH daemon boot activity in VM monitoring -5

Filesystem monitoring captured SSH host key and PAM configuration reads. These are standard ephemeral VM boot activities unrelated to the skill.