Claude recs #5
Description
Thanks for a great status bar. Claude recommended these changes for my implementation. Just wanted to share in case you wanted to eval them for yourself.
Bennett
awk code injection in format_tokens
$num is interpolated directly into the awk program string. If the JSON input ever contained a malicious context_window_size, it would
execute inside awk.
Before
awk "BEGIN {printf \"%.1fm\", $num / 1000000}"
After — pass as variable, not interpolated code
awk -v n="$num" 'BEGIN {printf "%.1fm", n / 1000000}'
size not validated before arithmetic
[ "$size" -eq 0 ] 2>/dev/null suppresses the error if size is non-numeric but doesn't fix it — the subsequent $(( current * 100 / size ))
will then hard-fail with a bash arithmetic error.
Before
[ "$size" -eq 0 ] 2>/dev/null && size=200000
After — validate it's a positive integer first
[[ "$size" =~ ^[0-9]+$ ]] && [ "$size" -gt 0 ] || size=200000
/tmp/claude cache directory is world-writable
Any local user could pre-create /tmp/claude/statusline-usage-cache.json with fake usage data before the script runs.
Before
mkdir -p /tmp/claude
After
mkdir -m 700 -p /tmp/claude
format_commas is locale-dependent
printf "%'d" uses the LC_NUMERIC locale for thousands separators. In minimal shell environments (CI, some terminals, cron), this silently
prints the raw number with no commas or errors.
Before
format_commas() {
printf "%'d" "$1"
}
After — locale-independent awk
format_commas() {
awk -v n="$1" 'BEGIN {
s = sprintf("%d", n); r = ""; l = length(s)
for (i = 1; i <= l; i++) {
if (i > 1 && (l - i + 1) % 3 == 0) r = r ","
r = r substr(s, i, 1)
}
printf "%s", r
}'
}