Back to skill

Security audit

Ecc Bundle 2026 07 08

Security checks across malware telemetry and agentic risk

Overview

This bundle does not look like malware, but it persistently installs many agent skills and several include broad file-reading, file-writing, command-running, or repo-changing workflows that need closer review.

Install only if you want a broad ECC workflow bundle to persistently change your agent's available skills. Run the installer with --dry-run first, avoid --force unless you intend to replace existing skills, and review the bundled skills that can read ~/.claude or project files, write CLAUDE.md/reports/config, run shell commands, use external research services, or automate git pushes and merges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and instructs execution of a bundled Python installer that writes into the user's local skills directory, yet the skill metadata declares no permissions. That omission weakens trust and reviewability because users and platforms may not realize the skill has filesystem write capability before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose frames the skill as a bundle installer, but the documented behavior includes uninstalling, deleting skill directories, making backups, and operating on a broad default path under ~/.agents/skills. This mismatch can cause users to run a tool with destructive or wider-than-expected filesystem effects, increasing the risk of accidental data loss or unauthorized modification of an agent environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as an analysis/onboarding aid, but it also directs the agent to write or update a project-root CLAUDE.md. That creates a scope-expansion from read/analyze into modifying repository contents, which can surprise users and cause unauthorized or unintended changes in a codebase.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to be advisory-only, but its Phase 0 instructs the agent to inspect the working directory and read project files such as CLAUDE.md, package.json, and other manifests. Even without executing code, this expands the skill from pure prompt rewriting into autonomous environment inspection, which can expose sensitive repository context or surprise users who expected a text-only transformation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CSP example is presented as recommended security guidance, yet it permits 'unsafe-inline' and 'unsafe-eval' in script-src, which materially weakens XSS defenses and can normalize insecure defaults. In a security-review skill, users are likely to copy this snippet directly, so the contradictory guidance increases the chance of deploying an application with an unnecessarily permissive CSP.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install section tells users how to run the installer and use --force, but does not prominently warn that it writes files into the local skills directory and may overwrite existing skills. In a package that modifies agent capabilities, insufficient warning raises the chance of unsafe execution, accidental replacement of trusted skills, or unintended persistence of bundled content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to run `agent-eval` against repositories and shows judge definitions that execute arbitrary shell commands (`pytest`, `npm run build`, generic `command`) and permit code changes in git worktrees, but it does not clearly warn that these actions execute untrusted task-defined commands and modify files in the target repo/worktree. In this context, users may treat the skill as a safe evaluation workflow and unknowingly run attacker-controlled or poorly reviewed task YAMLs, leading to local code execution, data exposure, or unintended repository changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section describes a loop that automatically creates branches, pushes commits, opens PRs, waits for CI, and merges changes, but it does not place an immediate, explicit safety warning alongside the workflow steps themselves. In a skill focused on autonomous agent loops, that omission increases the chance that a user treats the example as routine automation and runs repository-mutating operations without understanding that code may be pushed and merged with limited human review.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad, natural requests such as 'help me understand this codebase' or 'walk me through this repo,' which can cause the skill to activate in situations where the user did not intend the full workflow. Because the workflow can culminate in generating or updating CLAUDE.md, overbroad activation increases the chance of unintended repository modification or excessive analysis.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs writing or updating CLAUDE.md without clearly warning the user that a repository file will be changed. Hidden or insufficiently disclosed write behavior is dangerous because users may expect advice-only output while the agent mutates project state, potentially affecting team workflows or checked-in files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation rules are broad enough to trigger on many ordinary requests containing words like 'research' or 'investigate', which can cause the agent to invoke external web-search behavior when the user may only want a simple answer. In a tool-using skill, overbroad activation increases the chance of unnecessary data exposure to third-party MCPs and unexpected autonomous behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to save long reports to a file introduces a side effect without requiring explicit user consent or warning. This can create unintended persistence of potentially sensitive research results on disk, which is risky in shared, monitored, or policy-constrained environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document includes `git reset --hard HEAD~1`, which irreversibly discards local changes, but it does not explicitly warn readers about data loss or recovery limitations. In a tutorial-style skill, users may copy commands directly, so omission of a clear warning materially increases the chance of accidental destructive actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises very broad activation triggers such as 'before starting any feature' and 'when converting a vague idea into a spec,' which can match a large fraction of normal planning conversations. In an agentic system, overly broad routing can cause this skill to activate unexpectedly, pull in project files, and steer workflow decisions outside the user's explicit intent, creating prompt-scope and unintended-action risk even though the content is not overtly malicious.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and overlap with ordinary help-seeking language such as 'help me write a better prompt' or 'how should I use ECC for...'. Over-broad activation can cause the wrong skill to take control, leading to unintended data access through later project detection steps or causing the agent to refuse execution and steer the user into a different workflow than requested.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages use of `scan --fix`, which automatically modifies `.claude` configuration files, but it does not explicitly warn users to review changes, back up config, or understand that project security settings will be altered. In a security-sensitive configuration context, silent or insufficiently cautioned automated changes can weaken workflows, break intended controls, or cause users to apply changes they do not fully understand.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Opus deep-analysis workflow instructs users to export an API key and send scan data to an external LLM-backed service, but it does not clearly warn that configuration contents may be transmitted off-host. Because the scanned files can include secrets, agent definitions, hooks, and MCP configuration, this creates a real privacy and data-handling risk if users run it without understanding what leaves their environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation conditions include broad natural-language triggers such as asking whether a rule is being followed or performing periodic maintenance, which can cause the skill to activate in ordinary conversations without explicit user intent. Because this skill runs analysis workflows involving file reads and Bash-backed commands, accidental activation increases the chance of unintended execution, resource use, or evaluation of attacker-chosen paths.

Agent Config Directory Access

High
Category
Agent Snooping
Content
0. Does this already exist in the repo? → `rg` through relevant modules/tests first
1. Is this a common problem? → Search npm/PyPI
2. Is there an MCP for this? → Check `~/.claude/settings.json` and search
3. Is there a skill for this? → Check `~/.claude/skills/`
4. Is there a GitHub implementation/template? → Run GitHub code search for maintained OSS before writing net-new code
Confidence
89% confidence
Finding
~/.claude/settings.json

Tool Parameter Abuse

High
Category
Tool Misuse
Content
git reset --soft HEAD~1

# Undo last commit (discard changes)
git reset --hard HEAD~1

# Undo last commit pushed to remote
git revert HEAD
Confidence
90% confidence
Finding
git reset --hard

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.