Proposal: Behavioral session profiling for targeted CLI wrapper abuse detection
Summary
I built a tool that distinguishes legitimate Claude Code developers from CLI wrapper abuse by analyzing session behavioral data that Claude Code already collects. It's open source, zero dependencies (Python 3.8+ stdlib), and runs entirely locally.
Repo: https://github.com/Sn3th/claude-k2-session-guard
Why
CLI wrapper tools (OpenClaw, claude-code-provider, horselock, etc.) abuse the Claude Code CLI as a free API proxy. This is a real problem costing Anthropic real compute. But the current mitigation degrades sessions for all users equally, including developers using the product exactly as intended: dev on CLI, production on the API.
The behavioral difference between a real developer and a CLI wrapper is massive. This tool measures it and proves targeted detection is viable.
What It Measures
Session-level signals (per session):
- Idle ratio (humans think and pause, wrappers don't)
- Cadence variance (humans have irregular timing, wrappers are uniform)
- Prompt entropy (humans use diverse vocabulary, wrappers are templated)
- Corrections ("no", "wait", "actually" = human. Zero corrections = bot)
- Tool diversity (developers use Read, Edit, Bash, Grep, etc. Wrappers use 1-2 tools or zero)
- Scaffold detection (machine-generated
<tool_result>XML, serialized JSON schemas) - Single-turn sessions (one prompt in, one response out = subprocess shim signature)
Account-level signals (across all sessions + git):
- Developer vs automated session ratio and proportionality
- Git commit correlation (legitimate automation is proportional to commits)
- Commit cadence, daily variance, peak hours, co-authors
- Sessions-per-commit ratio
Results Against Real Data
Tested against 6,800+ sessions and 1,800+ commits from a single developer account:
Sessions (6,830 total)
Developer-side: 1,805 (26%)
Automated: 2,459 (36%)
Ratio: 1.4:1 auto:dev
Git: 1,824 commits across 4 repos in 64 days
28.5 commits/day
3.7 sessions per commit
ACCOUNT SCORE: 100/100 LEGITIMATE_DEVELOPER
The "automated" sessions are post-commit code review hooks and CI tooling. The ratio is proportional to development activity. A wrapper account would show zero developer sessions, zero git commits, and thousands of automated sessions with no proportionality.
The 5 Kill Signals
Based on analysis of actual wrapper codebases (sonami-tech/claude-code-provider, horselock/claude-code-proxy, AIDotNet/ClaudeCodeProxy, kiyo-e/claude-code-proxy, openclaw):
- Zero developer sessions + zero git output + sustained volume
- Sustained absence of ALL human behavioral signals across 50+ sessions
- No real Claude tool loops on accounts claiming coding usage
- One-shot session fragmentation (high spawn rate, seconds-long, one turn each)
- Machine-converted prompt scaffolding in session data
Honest Caveat
Some wrappers bypass Claude Code entirely (direct HTTP impersonation) or suppress session persistence (--no-session-persistence). JSONL-based detection can't see those. Server-side detection at the API level is needed for complete coverage. This tool proves the detection model works. Anthropic has the data to apply it server-side.
How to Try It
git clone https://github.com/Sn3th/claude-k2-session-guard.git
cd claude-k2-session-guard
python3 session_guard.py --account --limit 10000 --min-messages 1
Reads ~/.claude/projects/ and local git repos. No data sent anywhere.
Related
- #42542
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗