[Bug] Security-guidance plugin bypasses subscription billing and uses expensive model without warning
Bug Description
The official security-guidance plugin (security-guidance@claude-plugins-official v2.0.3)
silently billed my pay-as-you-go ANTHROPIC_API_KEY ~$93 over 4 days (175+ automated
review calls since May 27, ~92% of my API bill). Two problems:
1) It calls the API directly with headers["x-api-key"] = ANTHROPIC_API_KEY
(hooks/llm.py:262). For Max/Pro subscribers who have an API key in their environment
(common for app developers), every security review bypasses the subscription and bills
the key, with no warning at enable-time that the plugin incurs separate API charges.
2) It hardcodes claude-opus-4-7 (hooks/llm.py:125) while the same file's docstring (line
446) says it "defaults to Sonnet 4.6." Opus 4.7 is ~5x the price, so the expensive
default looks like an unintended regression.
Requests: warn at enable-time that the plugin makes billed API calls; default to a cheap
model (or require explicit opt-in); prefer the subscription token
(ANTHROPIC_AUTH_TOKEN/OAuth) over x-api-key when one is present. I've disabled the plugin
and requested a refund via support.
Environment Info
- Platform: linux
- Terminal: vscode
- Version: 2.1.163
- Feedback ID: b8f072b0-3bb8-45b3-af9d-9bdec18cbcb1
Errors
[]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗