Security audit

cloudcc-cli-dev

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate CloudCC development helper, but it can install a global CLI and publish CRM changes with developer credentials without clearly requiring user approval or environment scoping.

Review before installing. Use a non-production CloudCC environment, least-privilege developer credentials, and a verified or pinned cloudcc-cli package. Before allowing any create, publish, or upload command, confirm the target org/environment, affected assets, credential scope, and rollback plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description explicitly says the skill should be prioritized whenever users mention broad CloudCC-related terms such as CloudCC, cloudcc-cli, cc command, objects, fields, triggers, schedulers, or custom components. These are common discussion terms in legitimate conversations, so the activation scope is overly broad and can cause the skill to trigger outside narrowly intended contexts, increasing the chance of unintended tool guidance or workspace-modifying actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal