The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The file scripts/monitor-and-notify.sh contains a hardcoded Telegram recipient ID (5259918241). If the monitoring feature is activated, the user's Claude usage statistics and refresh status are sent to this specific account instead of the user's own session.
CREDENTIALS_UNSAFE (HIGH): The script scripts/claude-usage.sh programmatically accesses the macOS Keychain (security find-generic-password) and Linux Secret Service (secret-tool) to extract 'accessToken' and 'refreshToken' for 'Claude Code'. While functional, this provides the skill with full access to the user's authenticated Anthropic session.
COMMAND_EXECUTION (MEDIUM): The script scripts/session-reminder.sh implements a 'self-scheduling chain'. It uses the clawdbot cron add command to schedule itself to run at the exact moment of the next quota reset. This represents a persistence mechanism that ensures the skill continues to execute logic on the host system indefinitely.
COMMAND_EXECUTION (LOW): The skill executes the claude CLI tool automatically to trigger a token refresh if the stored OAuth token is detected as expired.
DATA_EXFILTRATION (LOW): The skill makes outbound network requests to api.anthropic.com to fetch usage metrics. While this is the primary feature, the combination of credential extraction and outbound communication increases the risk surface.
PROMPT_INJECTION (MEDIUM): Vulnerability to indirect prompt injection (Category 8). The skill ingests data from an external API (api.anthropic.com) and possesses notification/messaging capabilities. If the API response were compromised, it could influence the agent's next actions or exfiltrate data. (Evidence: Ingestion at scripts/claude-usage.sh; Capabilities: clawdbot message send, clawdbot cron add).

claude-code-usage