Back to skill

Security audit

Ask Claude Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Claude Code delegation wrapper, but it runs delegated sessions with permission checks bypassed, giving broad file and command authority without enough user control.

Install only if you intentionally want a delegated Claude Code runner that can act broadly in your project. Use it in trusted repositories, review the helper script first, prefer removing `--permission-mode bypassPermissions`, and treat delegated runs as capable of editing files and running commands without the usual approval prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README explicitly instructs use of `claude --permission-mode bypassPermissions`, which disables Claude Code's normal safety gate before executing actions. In a delegation skill that may analyze, edit files, and run follow-up tasks with remembered context, this materially broadens what delegated runs can do and increases the chance of unintended or unsafe file/system modifications.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script invokes Claude Code with `--permission-mode bypassPermissions`, which disables normal safety/approval boundaries and grants the delegated agent broad authority to act in the selected working directory. In this skill's context, the tool is explicitly meant to accept arbitrary user tasks and immediately return results, so running the delegated model with unrestricted permissions materially increases the chance of dangerous file changes, command execution, or abuse of persistent session context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The usage examples describe asking Claude to fix code and write tests, but do not clearly warn users that delegated runs may modify files in the current project. Because the skill is synchronous and reports back after execution, a user may not realize edits could already have occurred before they see the response.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README shows the skill invoking Claude Code with permission checks bypassed but does not prominently warn users that this disables approval barriers for potentially sensitive actions. In context, this is especially dangerous because the skill is presented as convenient delegation inside an agent workflow, making powerful execution easy to trigger without informed consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises broad triggers such as 'any task benefiting from Claude Code's tools' and 'always run synchronously,' which can cause it to activate for many ordinary user requests and delegate them to an external CLI with file editing and shell capabilities. In this context, overbroad activation increases the chance of unnecessary tool execution and unintended data exposure or system changes, especially because sessions persist by workdir.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill includes direct shell commands invoking `claude --permission-mode bypassPermissions`, which explicitly disables normal safety gating for a tool that can read files, edit code, and run commands. Because the skill also instructs immediate execution/reporting and mentions persistent sessions, users may trigger powerful actions without any warning about filesystem changes, command execution, or reuse of prior sensitive context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script launches a powerful external coding agent and suppresses normal permission checks without any warning, approval step, or indication to the user that elevated execution is occurring. Because the skill is designed to delegate arbitrary coding and shell-capable tasks, a user may unknowingly trigger high-impact actions in the filesystem or environment under a persistent session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.