claude-usage-analyst — agentic threat model
The claude-usage-analyst is a low-autonomy local utility agent whose primary risk stems from reading local host logs, making it vulnerable to local data exfiltration or prompt injection if log contents are maliciously manipulated.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on Claude models via Claude Desktop/Code. The primary threat is indirect prompt injection if malicious or crafted data is written to the local usage logs and subsequently parsed by the model.
Reads local usage logs (ccusage data) on the host. Threats include data exfiltration of sensitive usage patterns, metadata, or log poisoning where manipulated log files skew the analysis or inject malicious payloads.
Not certain from the listing — likely implemented as a Model Context Protocol (MCP) tool or local script. Threat includes insecure tool integration if the file-reading mechanism lacks strict path-traversal limitations.
Runs locally on the host machine to read local logs. Threat includes local privilege escalation or unauthorized local file access if the agent framework running the skill is compromised.
Not certain from the listing — being a free, open-source community skill, it likely lacks dedicated evaluation, guardrails, or anomaly detection to identify tampered log inputs.
Not certain from the listing — there are no mentioned authentication, authorization, or compliance controls. It relies entirely on the host operating system's file permissions to restrict access to the logs.
Operates as a 'Community Agent Skill' within the Claude Desktop/Code ecosystem. Threat includes horizontal trust abuse if other local agents or tools invoke this skill to gather intelligence on the user's model usage and costs.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).