model-usage
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (MEDIUM): The skill accesses sensitive local directories to read usage logs, including ~/.codex/sessions/ and ~/.config/claude/projects/. These paths typically contain sensitive interaction history and session metadata. While necessary for the skill's primary purpose of summarizing usage costs, this access poses a data exposure risk. The severity is downgraded from HIGH as it is essential for the intended functionality.
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill installs the codexbar CLI tool via a non-whitelisted third-party Homebrew tap (steipete/tap/codexbar). Installation and execution of binaries from unverified external sources can lead to remote code execution if the source is compromised.
- Indirect Prompt Injection (LOW): The skill processes external log data which could be manipulated to influence agent behavior. (1) Ingestion points: JSON output from the codexbar cost CLI command. (2) Boundary markers: Absent in the processing instructions. (3) Capability inventory: Subprocess execution of python and codexbar commands. (4) Sanitization: No sanitization logic for input data is documented.
Audit Metadata