Skills
skills/malue-ai/dazee-small/model-usage/Gen Agent Trust Hub

model-usage

Warn

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill metadata in SKILL.md specifies an installation procedure using Homebrew (brew install --cask steipete/tap/codexbar). This downloads and installs a binary from a third-party repository belonging to an individual user, which is not included in the trusted vendor or organization lists.
  • [COMMAND_EXECUTION]: The script scripts/model_usage.py utilizes subprocess.check_output to execute the codexbar binary. While the arguments are largely constrained, executing external binaries poses a risk if the binary itself is malicious or compromised.
  • [DATA_EXPOSURE]: The script accesses local configuration and log directories (e.g., ~/.codex/sessions/ and ~/.config/claude/projects/) via the codexbar CLI. While this is consistent with the skill's stated purpose of summarizing usage costs, it involves reading potentially sensitive local data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 6, 2026, 04:20 PM