cost-tracking
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to run
npx ccusage@latest, which downloads an unverified and unversioned package from the public NPM registry. This lacks the security afforded by version pinning and source verification. - [REMOTE_CODE_EXECUTION]: The command
claude mcp add --transport sse vantage https://mcp.vantage.sh/sseadds a remote MCP server to the environment. While Vantage is a well-known service, adding remote servers introduces external dependencies that execute within the agent's context. - [DATA_EXFILTRATION]: The
ccusagetool is designed to read sensitive local directories, including~/.claude/projects/,~/.opencode/sessions/,~/.codex/sessions/, and~/.amp/sessions/. These locations contain detailed session logs that may expose user interactions, source code, or internal tokens. - [COMMAND_EXECUTION]: The skill documentation provides various shell command examples (
curl,npx,claude mcp add) for retrieving billing data and managing configurations. - [DATA_EXFILTRATION]: The skill presents an indirect prompt injection surface as it consumes and processes external data from the Anthropic and Vercel APIs.
- Ingestion points: Vercel Billing API (
references/vercel-api.md) and Anthropic Usage/Cost APIs (references/anthropic-api.md). - Boundary markers: None identified in the provided documentation.
- Capability inventory: Subprocess execution and command calls are prevalent in
SKILL.mdand reference files. - Sanitization: No sanitization or validation logic for external data is documented.
Audit Metadata