cost-tracking
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to execute
npx ccusage@latest, which downloads content from the NPM registry at runtime. It also directs the setup of an external MCP server fromhttps://mcp.vantage.sh/sse. - [REMOTE_CODE_EXECUTION]: The use of unpinned external packages (
ccusage@latest) and third-party MCP integrations allows for the execution of code from unverified external sources that are not part of the skill's own codebase. - [COMMAND_EXECUTION]: The skill utilizes shell commands (
curl,jq,npx) to interact with sensitive administrative tokens (ANTHROPIC_ADMIN_KEY,VERCEL_TOKEN). This pattern creates a high-impact risk if shell inputs or external API responses are manipulated. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through external data ingestion. (1) Ingestion points: Data fetched from Anthropic and Vercel billing APIs, and local JSONL session logs in
references/ccusage.md. (2) Boundary markers: Absent; the skill lacks delimiters or instructions to ignore instructions embedded in the billing data. (3) Capability inventory: Full shell execution viacurl,jq, andnpxinSKILL.mdand reference files. (4) Sanitization: Absent; data is processed directly via shell utilities and potentially interpolated into the agent's context.
Audit Metadata