📊 claude-usage-cli — 用量查询
v0.2.0在命令行一键查询 Claude API 用量与费用,支持表格/JSON 输出,Admin API 密钥自动存入 macOS 钥匙串,安全无忧。
0· 1.2k·3 当前·3 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing: 1) Confirm the npm package and GitHub repository are legitimate (owner, recent commits, stars, issues) and inspect the CLI source — SKILL.md's claims about Keychain and network scope can only be validated by reading code. 2) Do not paste a high-privilege Admin key unless necessary — prefer a least-privilege/read-only token or an account that limits blast radius. 3) Verify the npm package tarball (npm view / integrity) or build from source (git clone) if you want to audit befor...详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly requires an Anthropic Admin API key (sk-ant-admin...) and describes storing it in macOS Keychain, but the registry metadata lists no required environment variables or primary credential. Requiring the 'claude-usage' and 'node' binaries is consistent with a CLI wrapper, however the omission of the Admin API credential in the skill metadata is an inconsistency that reduces transparency.
ℹ 指令范围
The runtime instructions are limited to installing/running a CLI (claude-usage) and using Keychain to store an Admin API key; they do not ask the agent to read arbitrary files or system state. However, the SKILL.md makes concrete claims about network scope (only contacting api.anthropic.com over HTTPS) and key handling (never written to disk in plaintext) that cannot be verified from an instruction-only skill with no code. Because the skill delegates behavior to an external binary, those claims should be validated by inspecting the CLI's code or package.
ℹ 安装机制
SKILL.md recommends installing via npm (npm install -g claude-usage-cli) or git-clone/build. npm/global install is a common but moderately risky install vector because it executes third-party code from the registry; the SKILL.md references a GitHub repo which is a good sign, but the registry metadata reported 'No install spec' — the presence of install instructions inside SKILL.md but not in the top-level install spec is an inconsistency to confirm. Verify the npm package and GitHub source before installing.
⚠ 凭证需求
The tool requires an Admin API key to query organization usage/costs. Admin keys can be sensitive/powerful; the skill metadata does not declare any required credential or primaryEnv, which is misleading. The SKILL.md asserts read-only scope for that key, but you should treat an Admin key as a high-privilege secret and prefer least-privilege tokens if available.
✓ 持久化与权限
The skill is not force-included (always:false) and does not request persistent system-wide privileges. It stores the API key in the user's macOS Keychain (as documented) and claims not to write plaintext to disk. There is no evidence in the provided files that the skill modifies other skills or system settings.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS
版本
latestv0.2.02026/2/11
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install claude-usage-cli
镜像加速npx clawhub@latest install claude-usage-cli --registry https://cn.longxiaskill.com