Proposal: Behavioral session profiling for targeted CLI wrapper abuse detection

Resolved 💬 2 comments Opened Apr 5, 2026 by Sn3th Closed May 16, 2026

Summary

I built a tool that distinguishes legitimate Claude Code developers from CLI wrapper abuse by analyzing session behavioral data that Claude Code already collects. It's open source, zero dependencies (Python 3.8+ stdlib), and runs entirely locally.

Repo: https://github.com/Sn3th/claude-k2-session-guard

Why

CLI wrapper tools (OpenClaw, claude-code-provider, horselock, etc.) abuse the Claude Code CLI as a free API proxy. This is a real problem costing Anthropic real compute. But the current mitigation degrades sessions for all users equally, including developers using the product exactly as intended: dev on CLI, production on the API.

The behavioral difference between a real developer and a CLI wrapper is massive. This tool measures it and proves targeted detection is viable.

What It Measures

Session-level signals (per session):

  • Idle ratio (humans think and pause, wrappers don't)
  • Cadence variance (humans have irregular timing, wrappers are uniform)
  • Prompt entropy (humans use diverse vocabulary, wrappers are templated)
  • Corrections ("no", "wait", "actually" = human. Zero corrections = bot)
  • Tool diversity (developers use Read, Edit, Bash, Grep, etc. Wrappers use 1-2 tools or zero)
  • Scaffold detection (machine-generated <tool_result> XML, serialized JSON schemas)
  • Single-turn sessions (one prompt in, one response out = subprocess shim signature)

Account-level signals (across all sessions + git):

  • Developer vs automated session ratio and proportionality
  • Git commit correlation (legitimate automation is proportional to commits)
  • Commit cadence, daily variance, peak hours, co-authors
  • Sessions-per-commit ratio

Results Against Real Data

Tested against 6,800+ sessions and 1,800+ commits from a single developer account:

Sessions (6,830 total)
  Developer-side:   1,805 (26%)
  Automated:        2,459 (36%)
  Ratio:            1.4:1 auto:dev

Git: 1,824 commits across 4 repos in 64 days
  28.5 commits/day
  3.7 sessions per commit

ACCOUNT SCORE: 100/100 LEGITIMATE_DEVELOPER

The "automated" sessions are post-commit code review hooks and CI tooling. The ratio is proportional to development activity. A wrapper account would show zero developer sessions, zero git commits, and thousands of automated sessions with no proportionality.

The 5 Kill Signals

Based on analysis of actual wrapper codebases (sonami-tech/claude-code-provider, horselock/claude-code-proxy, AIDotNet/ClaudeCodeProxy, kiyo-e/claude-code-proxy, openclaw):

  1. Zero developer sessions + zero git output + sustained volume
  2. Sustained absence of ALL human behavioral signals across 50+ sessions
  3. No real Claude tool loops on accounts claiming coding usage
  4. One-shot session fragmentation (high spawn rate, seconds-long, one turn each)
  5. Machine-converted prompt scaffolding in session data

Honest Caveat

Some wrappers bypass Claude Code entirely (direct HTTP impersonation) or suppress session persistence (--no-session-persistence). JSONL-based detection can't see those. Server-side detection at the API level is needed for complete coverage. This tool proves the detection model works. Anthropic has the data to apply it server-side.

How to Try It

git clone https://github.com/Sn3th/claude-k2-session-guard.git
cd claude-k2-session-guard
python3 session_guard.py --account --limit 10000 --min-messages 1

Reads ~/.claude/projects/ and local git repos. No data sent anywhere.

Related

  • #42542

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗