[Bug] Security-guidance plugin bypasses subscription billing and uses expensive model without warning

Open 💬 1 comment Opened Jun 5, 2026 by shopbroker-austin

Bug Description
The official security-guidance plugin (security-guidance@claude-plugins-official v2.0.3) silently billed my pay-as-you-go ANTHROPIC_API_KEY ~$93 over 4 days (175+ automated review calls since May 27, ~92% of my API bill). Two problems: 1) It calls the API directly with headers["x-api-key"] = ANTHROPIC_API_KEY (hooks/llm.py:262). For Max/Pro subscribers who have an API key in their environment (common for app developers), every security review bypasses the subscription and bills the key, with no warning at enable-time that the plugin incurs separate API charges. 2) It hardcodes claude-opus-4-7 (hooks/llm.py:125) while the same file's docstring (line 446) says it "defaults to Sonnet 4.6." Opus 4.7 is ~5x the price, so the expensive default looks like an unintended regression. Requests: warn at enable-time that the plugin makes billed API calls; default to a cheap model (or require explicit opt-in); prefer the subscription token (ANTHROPIC_AUTH_TOKEN/OAuth) over x-api-key when one is present. I've disabled the plugin and requested a refund via support.

Environment Info

  • Platform: linux
  • Terminal: vscode
  • Version: 2.1.163
  • Feedback ID: b8f072b0-3bb8-45b3-af9d-9bdec18cbcb1

Errors

[]

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗