model-usage
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/model_usage.pyutilizes thesubprocess.check_outputmethod to execute thecodexbarCLI utility. The command parameters are sanitized through an argument parser with fixed choices, mitigating the risk of command injection. - [DATA_EXFILTRATION]: The skill identifies and reads from sensitive local directories containing session history, specifically
~/.codex/sessions/and directories related to Claude projects (e.g.,~/.config/claude/projects/). This access is fundamental to the skill's primary purpose of cost analysis but involves handling sensitive user information. - [EXTERNAL_DOWNLOADS]: The skill's configuration specifies the installation of a binary dependency (
codexbar) from a third-party Homebrew tap (steipete/tap/codexbar). This repository is owned by the skill's author and is required for the tool's core functionality.
Audit Metadata