Back to skill

Security audit

ECCSystem

Security checks across malware telemetry and agentic risk

Overview

This appears to be a developer-agent workflow bundle, but it changes agent/project state and encourages several high-impact actions without consistently clear consent, scoping, or safety gates.

Install only after reviewing the bundled installer and each bundled skill. Use dry-run or a throwaway agent profile if available, avoid --force or uninstall modes unless you have backups, and require explicit confirmation before it reads ~/.claude data, modifies .claude or CLAUDE.md files, runs third-party eval tasks, captures traces, sends configuration data to external APIs, or merges repository changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises and facilitates running a bundled installer that writes multiple SKILL.md files into the user's local skills directory, yet the manifest declares no permissions. This is dangerous because it obscures the skill's true file-system impact and can cause users or enforcement systems to trust a package that performs local file writes and potential overwrites.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is installation of an ECC bundle, but the documented behavior also includes uninstalling skills, deleting existing skill directories, and creating backups of overwritten files. This mismatch is dangerous because users may invoke the tool expecting only additive installation while it can perform destructive or state-altering filesystem operations outside that expectation.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill claims to be advisory-only and not to take implementation actions, yet it explicitly instructs the agent to inspect local project files such as CLAUDE.md and manifest files. That creates a capability mismatch: a user asking only for prompt rewriting may unintentionally trigger workspace reconnaissance and expose repository metadata or sensitive local context beyond what is necessary for the stated role.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The skill performs broad local repository detection across many ecosystem files to infer tech stack, which is a form of reconnaissance. While likely intended to improve prompt quality, this exceeds a minimal advisory role and may collect unnecessary context from the workspace, increasing privacy and least-privilege concerns.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CSP example is presented as a recommended security header, but it explicitly allows 'unsafe-inline' and 'unsafe-eval' for scripts, which materially weakens XSS protections and can normalize insecure defaults for users copying the snippet. In a security-review skill, this is more dangerous than in generic documentation because readers are likely to trust and reuse the example as authoritative guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installation section tells users to run the installer but omits prominent warnings that it writes into ~/.agents/skills by default and may overwrite existing skills when forced. In a skill-distribution context, this increases the risk of unintended modification of a trusted local agent environment and reduces informed consent for filesystem changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This is a real safety issue because the skill encourages use of a tool that executes task-defined judge commands and operates on a user-selected repository, yet the documentation does not clearly warn that task YAML can trigger arbitrary local commands such as pytest, build scripts, or other shell commands. In this context, users may treat benchmark task files or third-party task definitions as harmless fixtures, when they can in practice execute untrusted code against the local codebase and environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This guidance explicitly promotes a fully autonomous loop that creates branches, opens PRs, waits on CI, auto-fixes failures, and merges changes back without a required human approval step. In a skill specifically about autonomous agent loops, that combination materially increases the chance that unsafe, incorrect, or security-impacting code is landed into a repository solely because automated checks passed, which is an unreliable substitute for human review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to write or update a repository-root `CLAUDE.md`, which is a persistent filesystem modification, but it does not require obtaining fresh user confirmation at the moment of the write or warning that repository files will be changed. In an onboarding context, users may expect analysis and generated output in chat, not an automatic repo mutation, creating a risk of unintended file changes, noisy commits, or accidental overwrite/merge of existing project guidance.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation conditions are very broad and include generic phrases like 'research', 'deep dive', and 'investigate', which can cause this skill to trigger for many common requests outside a narrowly scoped research workflow. Overbroad activation increases the chance of unintended tool use, unnecessary web access, and invocation of parallel agents when the user may have expected a simpler or more constrained response.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to save long reports to a file without requiring user consent or even notifying the user before writing. Unprompted file creation can leak sensitive research content into the workspace, overwrite existing files if path handling is later added unsafely, and violate user expectations about side effects.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list uses broad everyday phrases like 'help me prompt' and 'rewrite this prompt,' which can cause the skill to activate in situations where the user did not intend a prompt-optimization workflow. Over-broad invocation increases the chance that repository inspection, command recommendations, or workflow shaping occurs unexpectedly.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The usage guidance repeats ambiguous activation conditions without strict boundaries, making accidental invocation more likely. In a skill that may inspect project files and shape subsequent agent behavior, ambiguity in routing is security-relevant because it widens the set of prompts that can trigger privileged context gathering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises `--fix` as a safe convenience feature but does not clearly warn that it will modify files in the user's `.claude/` configuration. In a security-sensitive config context, implicit file modification can cause unintended policy changes, overwrite local customizations, or normalize risky changes without sufficient user review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deep-analysis workflow instructs users to export an API key and send data to an external service, but it does not clearly disclose that project configuration content may be transmitted off-machine for analysis. Because the scanned files can include secrets, internal prompts, hooks, and infrastructure details, lack of a privacy/data-handling warning creates meaningful confidentiality risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation conditions include broad natural-language triggers like asking whether a rule is being followed or using it periodically for maintenance, without requiring clear user confirmation of the target or execution scope. In this skill, activation leads to scenario generation and agent execution, so vague triggers can cause unintended high-cost runs, analysis of unintended files, or collection of tool-call traces when the user did not explicitly request that level of action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes running agents and capturing tool-call traces, but it does not present a prominent user warning about execution, possible cost, or the sensitivity of collected traces. Because this workflow invokes `claude -p` across generated scenarios and records timelines, users may unknowingly trigger expensive actions or expose prompts, file paths, and behavioral metadata in generated reports.

Agent Config Directory Access

High
Category
Agent Snooping
Content
0. Does this already exist in the repo? → `rg` through relevant modules/tests first
1. Is this a common problem? → Search npm/PyPI
2. Is there an MCP for this? → Check `~/.claude/settings.json` and search
3. Is there a skill for this? → Check `~/.claude/skills/`
4. Is there a GitHub implementation/template? → Run GitHub code search for maintained OSS before writing net-new code
Confidence
86% confidence
Finding
~/.claude/settings.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.