Back to skill

Security audit

Claude Notifications

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sets up persistent local and remote Claude Code notifications, but users should review the configuration changes before running it.

Install only if you want a persistent notification listener and SSH reverse-forwarding setup. Use only trusted devpod SSH hostnames, review or back up ~/.ssh/config and ~/.claude/settings.json first, and be aware that setup also changes remote ~/.claude and ~/.tmux.conf files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("hooks configured")
"""

    result = subprocess.run(
        ["ssh", host, f"python3 -c '{python_script}'"],
        capture_output=True,
        text=True
Confidence
95% confidence
Finding
result = subprocess.run( ["ssh", host, f"python3 -c '{python_script}'"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"── Setting up devpod: {host} ──")

    # Verify SSH connectivity
    result = subprocess.run(
        ["ssh", "-o", "ConnectTimeout=10", host, "echo ok"],
        capture_output=True,
        text=True
Confidence
91% confidence
Finding
result = subprocess.run( ["ssh", "-o", "ConnectTimeout=10", host, "echo ok"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
info(f"SSH connection to {host} verified")

    # Create dirs and copy notify.py
    subprocess.run(["ssh", host, "mkdir -p ~/.claude/scripts"], check=True)

    src_notify = SCRIPTS_DIR / "notify.py"
    subprocess.run(
Confidence
92% confidence
Finding
subprocess.run(["ssh", host, "mkdir -p ~/.claude/scripts"], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["ssh", host, "mkdir -p ~/.claude/scripts"], check=True)

    src_notify = SCRIPTS_DIR / "notify.py"
    subprocess.run(
        ["scp", str(src_notify), f"{host}:~/.claude/scripts/notify.py"],
        check=True
    )
Confidence
93% confidence
Finding
subprocess.run( ["scp", str(src_notify), f"{host}:~/.claude/scripts/notify.py"], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
check=True
    )

    subprocess.run(
        ["ssh", host, "chmod +x ~/.claude/scripts/notify.py"],
        check=True
    )
Confidence
90% confidence
Finding
subprocess.run( ["ssh", host, "chmod +x ~/.claude/scripts/notify.py"], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
info(f"Installed notify.py on {host}")

    # Configure tmux passthrough
    tmux_check = subprocess.run(
        ["ssh", host, 'grep -q "allow-passthrough" ~/.tmux.conf 2>/dev/null && echo "already set" || (echo "" >> ~/.tmux.conf && echo "# Allow OSC escape sequences to pass through for notifications" >> ~/.tmux.conf && echo "set -g allow-passthrough on" >> ~/.tmux.conf && echo "added")'],
        capture_output=True,
        text=True
Confidence
96% confidence
Finding
tmux_check = subprocess.run( ["ssh", host, 'grep -q "allow-passthrough" ~/.tmux.conf 2>/dev/null && echo "already set" || (echo "" >> ~/.tmux.conf && echo "# Allow OSC escape sequences to

subprocess module call

Medium
Category
Dangerous Code Execution
Content
info(f"Configured tmux passthrough on {host}")

    # Reload tmux config if tmux is running
    subprocess.run(
        ["ssh", host, "tmux source-file ~/.tmux.conf 2>/dev/null || true"],
        capture_output=True
    )
Confidence
89% confidence
Finding
subprocess.run( ["ssh", host, "tmux source-file ~/.tmux.conf 2>/dev/null || true"], capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if result.stdout.strip():
        stale_pids = result.stdout.strip().split()
        for pid in stale_pids:
            subprocess.run(["kill", pid], capture_output=True)

        # Wait for port to be free
        for _ in range(10):
Confidence
94% confidence
Finding
subprocess.run(["kill", pid], capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill directs execution of shell commands, SSH configuration changes, file writes under ~/.claude and ~/.ssh, launchd persistence, and network tunneling, yet it declares no permissions. This creates a transparency and consent problem: a user or platform may treat the skill as less privileged than it really is, increasing the chance that sensitive local configuration and remote hosts are modified without informed approval.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script automatically edits ~/.ssh/config to add a RemoteForward entry without explicit warning or confirmation. Modifying SSH configuration creates persistent network behavior that affects future connections, can expose local services to remote hosts, and is especially sensitive in a setup skill that users may run with trust assumptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.