codex-quota

SUSPICIOUS. The core log-reading behavior matches the stated purpose, but the skill also modifies the Codex auth file to switch accounts, which is sensitive and somewhat disproportionate for quota checking. No clear malicious exfiltration or non-official network routing is shown, so this is not confirmed malware, but it carries medium security risk due to credential-file handling and incomplete install-trust evidence in the provided excerpt.