claude-code-usage-report
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bundled Python script (
usage_report.py) using the local Python interpreter to process session statistics. This script uses only standard library modules and operates on local data. - [DATA_EXFILTRATION]: The skill accesses Claude Code session history stored in the user's home directory (
~/.claude/projects/) to extract token counts and model identifiers. This data is processed locally and presented only to the user. - [EXTERNAL_DOWNLOADS]: The skill instructions guide the agent to fetch updated pricing information from Anthropic's official documentation website when requested. This reference to a well-known service is used to ensure the accuracy of the cost estimation.
- [PROMPT_INJECTION]: A minor surface for indirect prompt injection exists via project directory names being included in the report. However, the model classification logic uses a fixed mapping for model names and generations, effectively neutralizing malicious instructions in model identifiers.
Audit Metadata