This document describes the security model of GLM Usage Monitor — how it
works, an honest threat model, and the one way it differs from the extension it
was modeled on (msadofschi/claudetrack).
The extension is open source and unminified. Every claim below is checkable
against the source in this repository, primarily
manifest.json, background.js,
popup.js, and options.js.
claudetrack reads claude.ai usage by riding your session cookie
(credentials: 'include') — no key needed, because the page is cookie-authed.
GLM Coding Plan usage is not cookie-authed. The Z.AI monitor API
(api.z.ai/api/monitor/usage/*) requires an Authorization: <token> header
(the same Coding Plan key you use with Claude Code). So this extension asks you
to paste that key once in Settings, and stores it locally. That is the
unavoidable difference, and the rest of this model is about bounding its blast
radius.
Declared in manifest.json:
| Permission | Why | What it does not grant |
|---|---|---|
storage |
Persist the key + usage data + prefs locally | No network, no page access, no sync |
alarms |
Schedule the periodic refresh | Nothing else |
host: api.z.ai/api/monitor/usage/{quota/limit,model-usage,tool-usage} |
Read Z.AI usage | Read-only; no other path on api.z.ai |
host: open.bigmodel.cn/api/monitor/usage/{quota/limit,model-usage,tool-usage} |
Same, for the China platform | Read-only |
There is no cookies, tabs, scripting, webRequest, <all_urls>, or
any broad host permission. There are no content scripts, no
web_accessible_resources, and no externally_connectable.
| Can read (with your key) | Cannot access |
|---|---|
| 5-hour / weekly token usage %, totals, reset times | Your chats, code, or files |
| Monthly MCP usage % + per-tool counts | Billing or payment methods |
| 24-hour model/tool usage counts | Any non-monitor endpoint or other domain |
Your plan tier label (e.g. Pro) |
The value of any other credential |
GET to one of the six monitor paths above
(background.js). It cannot send messages, spend quota, or
mutate your account.chrome.storage.local on your device..textContent, never innerHTML
(popup.js, options.js), so a malformed or
hostile response cannot inject markup.background.js only accepts
REFRESH, SET_INTERVAL, and TEST_CONNECTION from this extension’s own
pages. With no externally_connectable, no web page can message the
extension.Unlike claudetrack (which holds no credential), this extension stores your Coding Plan key. Realistically that key already grants more than this extension ever does — it can make model calls and spend your plan — so the extension does not increase the key’s reach. But a key stored on disk is a key worth protecting:
chrome.storage.local (the extension’s local DB), not sync.
It does not leave your device except in the Authorization header to the
monitor endpoints above.open.bigmodel.cn entries from host_permissions before installing.This is the realistic, generic risk for any auto-updating extension. A compromised build is bounded by what the manifest already grants:
host_permissions — which is not silent: the browser
surfaces a new-permission prompt and disables the extension until you
re-approve it, the change is visible in a public diff, and it is subject to
store review.The extension has zero third-party runtime dependencies: no package.json,
no bundler, no build step. The JavaScript in this repository is exactly what
runs. There is no npm layer for a malicious package to ride in through.
chrome.storage.local. Nothing is synced to a
server, sent to the maintainer, or shared with third parties.manifest.json.Open a private issue or contact the maintainer via the repository. Do not open a public issue for security problems.