Back to skill

Security audit

claude-code-cli

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Claude Code helper for coding delegation, with powerful command and edit examples that users should run only in scoped project worktrees.

Install this only if you intentionally want OpenClaw to delegate coding work to Claude Code. Use clean git worktrees or temporary clones, avoid sensitive directories and ~/.openclaw, prefer plan mode for review, set budgets/timeouts for unattended runs, avoid permission-bypass modes, monitor background sessions, and review all diffs before pushing or opening PRs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill states it must not be used in ~/.openclaw/, but this is only advisory text and there is no enforcement in the documented workflow. Because the skill centers on arbitrary command execution with user-controlled workdirs, an operator or downstream agent can still run Claude or shell actions inside the prohibited workspace, undermining the stated safety boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented interface exposes broad shell execution, background process control, and optional host-elevated execution, which substantially expands the attack surface beyond simple delegation to Claude Code CLI. In a skill meant for coding assistance, these capabilities can be repurposed for arbitrary local actions, network access, and persistence if misused or prompted adversarially.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises dangerous flags such as --dangerously-skip-permissions / bypassPermissions and full --system-prompt replacement. These options disable built-in safeguards or replace trusted instructions, making prompt injection, unauthorized edits, and unsafe autonomous behavior materially easier in exactly the environment this skill orchestrates.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The examples include destructive cleanup commands that delete directories, but the surrounding guidance does not clearly warn about deletion scope, path verification, or recovery implications. In a command-oriented skill, users often adapt examples directly, so normalized deletion patterns increase the chance of accidental data loss if paths are mistyped or variables expand unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill recommends --permission-mode acceptEdits for background tasks as a convenience measure, but does not pair that recommendation with a prominent warning that the agent may autonomously modify repository files. In unattended or long-running sessions, this can lead to broad unintended changes before a human reviews the result.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.