model-usage
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/model_usage.pyexecutes thecodexbarCLI tool to retrieve usage data. The implementation usessubprocess.check_outputwith an argument list rather than a shell string, effectively preventing command injection. Additionally, theproviderargument is restricted to a set of predefined choices (codex,claude) viaargparse. - [EXTERNAL_DOWNLOADS]: The skill's metadata describes installing the
codexbartool using a Homebrew tap (steipete/tap/codexbar). This is a well-known developer source (Peter Steinberger) and is used for its intended purpose of providing the required binary for the skill to function. - [DATA_EXFILTRATION]: There are no network operations (such as
requests,urllib, orcurl) present in the skill's code. All data processing occurs locally, and results are printed to the standard output. - [SAFE]: The logic for processing JSON cost logs includes type checking and validation of input structures. It accesses local configuration directories for Codex and Claude as described in its documentation to provide the requested summaries.
Audit Metadata