Back to skill

Security audit

Claude Managed Agents

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but coherent Claude Managed Agents administration skill whose sensitive actions are disclosed and user-directed.

Install only if you intend to let an agent administer Claude Managed Agents resources with your Anthropic API key. Use a least-privilege key where possible, keep ANTHROPIC_API_BASE_URL pointed at a trusted Anthropic endpoint, prefer limited networking, review resource IDs and mounted files before mutations, archive before deleting, and upload only files you are comfortable sending to the managed-agent service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tainted flow: 'request' from os.environ.get (line 415, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
request = urllib.request.Request(url=url, data=data, headers=headers, method=method.upper())
        try:
            with urllib.request.urlopen(request, timeout=self.timeout) as response:
                raw = response.read().decode("utf-8")
                if accept == "text/event-stream":
                    return raw
Confidence
89% confidence
Finding
with urllib.request.urlopen(request, timeout=self.timeout) as response:

Tainted flow: 'request' from os.environ.get (line 415, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
        request = urllib.request.Request(url=url, headers=headers, method="GET")
        try:
            with urllib.request.urlopen(request, timeout=self.timeout) as response:
                return response.read()
        except urllib.error.HTTPError as exc:
            raw = exc.read().decode("utf-8", errors="replace")
Confidence
88% confidence
Finding
with urllib.request.urlopen(request, timeout=self.timeout) as response:

Tainted flow: 'request' from os.environ.get (line 415, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
        request = urllib.request.Request(url=url, headers=headers, method="GET")
        try:
            with urllib.request.urlopen(request, timeout=self.timeout) as response:
                data_lines: list[str] = []
                for raw_line in response:
                    line = raw_line.decode("utf-8").rstrip("\r\n")
Confidence
88% confidence
Finding
with urllib.request.urlopen(request, timeout=self.timeout) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares powerful capabilities through compatibility metadata and documented behavior, but does not expose an explicit permissions model despite involving environment variables, filesystem access, network access, and external service interaction. This increases the chance that the orchestrator or user invokes a high-privilege skill without clear scoping or review, especially since it can manage agents, sessions, files, and networking remotely.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The invocation text is extremely broad: 'Use this whenever...' covers many ordinary requests related to agents, sessions, files, skills, packages, and networking. Overbroad routing can cause the skill to activate in contexts where its high-privilege capabilities are unnecessary, exposing secrets, files, or remote admin operations to routine workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document includes archive and delete commands for agents, environments, and sessions without any safety guidance, confirmation steps, or warnings about permanence and operational impact. In a skill meant to help manage live managed-agent resources, this increases the chance of accidental destructive actions against real assets, especially if a user copy-pastes commands without understanding consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example creates an environment with unrestricted networking and provides no warning about outbound connectivity, access to external systems, or potential data exfiltration paths. In the context of managed agents, this can normalize insecure defaults and lead users to deploy agents with broader network access than necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to upload arbitrary local files to a remote managed service but never warns that file contents leave the local machine and may contain sensitive data. In a skill specifically designed to manage remote agents and session resources, that omission materially increases the risk of accidental data exfiltration through routine use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file deletion example shows a destructive operation without explaining permanence, affected scope, or recovery limitations. In an operational management skill, users may copy commands directly, so missing guardrails can cause accidental deletion of artifacts needed for audits, debugging, or ongoing workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quickstart instructs users to upload a local file to the managed agents service without explicitly warning that the file contents leave the local machine and become available to a remote service. In a security-sensitive agent-management skill, this omission can lead to accidental disclosure of secrets, proprietary data, or regulated information if users follow the example with real files.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The quickstart creates an environment with `--network unrestricted` and does not explain that the resulting agent runtime may have outbound network connectivity. In this skill's context, that is more dangerous than usual because the skill is specifically for managing remote agents and sessions, so users may unknowingly enable exfiltration paths or internet access beyond their expected trust boundary.

Context Leakage

High
Category
Data Exfiltration
Content
---
name: claude-managed-agents
description: Manage Claude Managed Agents end to end through a Python helper CLI, with ant CLI equivalents documented as a secondary path. Use this whenever the user wants to create, update, list, archive, or inspect Claude Managed Agents agents, environments, sessions, or event streams; configure built-in tools, MCP servers, skills, packages, or networking; send session messages, interrupts, confirmations, or custom tool results; or work with Anthropic's managed-agents beta lifecycle from this machine.
compatibility:
  tools: Read, Edit, Bash
  dependencies: Python 3, ANTHROPIC_API_KEY, optional anthropic SDK, optional ant CLI
Confidence
88% confidence
Finding
send session

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_managed_agents.py:15