Back to skill

Security audit

claude-audit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed code-audit skill with optional code-fixing and a user-directed installer, but users should be careful with auto-fix and one-line installation.

Install manually or inspect the installer before using the one-line command. Run /audit without --fix first, scope sensitive repositories with a path, --changed, --focus, and .auditignore, and only use --fix on a clean version-controlled branch where you can review and revert changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its instructions require shell-capable operations such as git diff and potentially file-modifying actions later in the workflow. This creates a transparency and trust problem: users may invoke a supposedly harmless audit skill without realizing it can access the shell and operate over the working tree.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest and description market the skill as a read-only audit tool, but the documented behavior includes fix application and broader operational capabilities inconsistent with that claim. Description-behavior mismatches are dangerous because they defeat informed consent and can lead users to authorize actions they would not have accepted if accurately described.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill presents itself as read-only, but its documented workflow later allows modifying project files to apply fixes. This is a capability escalation against user expectations and can result in unauthorized code changes, especially in sensitive repositories.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill instructs sub-agents to remain read-only, but the overall skill later directs file modification during fix application. This inconsistency can confuse users and implementers, making it easier for write actions to occur under the guise of a read-only audit.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a read-only audit tool, but its documented behavior includes an auto-fix mode that applies code changes. This mismatch is dangerous because users or calling systems may grant it broad repository access under the assumption that it only analyzes, while the skill can in fact modify source code without a separate safety boundary.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The instructions establish a global read-only expectation for every agent, but later sections direct the overall skill to edit files during fix application. Contradictory safety semantics increase the risk of unsafe automation, policy bypass, and accidental writes because reviewers and users cannot rely on the declared trust boundary.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The later 'Apply Fixes' section operationalizes file modification after earlier documentation frames the skill as an audit tool. Even if the write phase occurs after a report, it still changes the repository and may do so broadly, which can lead to unintended code changes, malicious prompt abuse through crafted findings, or CI/repo integrity issues if invoked automatically.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises `/audit --fix` as immediately applying all fixes, but the surrounding documentation does not clearly emphasize the risk of automatic modification of user code or the need to review a proposed patch first. In a tool that can scan an entire repository and then change files, this increases the chance of unintended destructive edits, especially if users assume the operation is low-risk because the scan phase is read-only.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Defaulting to a full audit of the current working directory when no arguments are provided is overly broad and may unintentionally sweep large or sensitive repositories. Broad implicit scope increases the risk of unintended shell access, repository inspection, and data exposure through generated reports.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The --fix option allows automatic file modification without a strong upfront warning in the user-facing description. Users expecting an audit-only skill may invoke it without understanding that it can rewrite code, which undermines consent and change-control practices.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The --fix flag is described as skipping confirmation and auto-applying fixes, but the skill description emphasizes auditing and does not prominently warn that code will be modified. This creates a consent and safety problem: a user may invoke the skill expecting analysis and accidentally trigger immediate edits across the project.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Piping a remote script directly into `bash` executes unreviewed code from the network immediately, giving the script full authority of the current user account. If the upstream source, transport path, or publisher account is compromised, users can be silently infected with malware or persistence mechanisms.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The post explicitly advertises an auto-fix mode that can change code 'without asking', but it does not warn users about the risks of unintended code modification, review requirements, or the scope of changes. In the context of an AI-driven code audit/fix tool, this can normalize unsafe use of autonomous write actions and lead users to run potentially destructive or insecure modifications on their codebase.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|----------|---------|-------------|
| `[path]` | `.` (cwd) | Directory to audit |
| `--focus <areas>` | all | Comma-separated: `security`, `bugs`, `deadcode`, `architecture`, `performance` |
| `--fix` | off | Skip confirmation, auto-apply fixes after report |
| `--changed` | off | Only audit files changed vs last commit (`git diff --name-only HEAD~1`) |
| `--severity <level>` | `info` | Minimum severity to show: `critical`, `warning`, `info` |
| `--top <N>` | unlimited | Limit report to top N findings by severity |
Confidence
90% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Flags

- `--focus security,bugs` - run only the agents you need
- `--fix` - auto-fix without asking
- `--changed` - only scan files changed since last commit (great before PRs)
- `--severity critical` - filter noise
- `--top 10` - top N issues only
Confidence
96% confidence
Finding
without asking

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Global (all projects)
mkdir -p ~/.claude/commands
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/audit.md \
  -o ~/.claude/commands/audit.md
Confidence
85% confidence
Finding
mkdir -p ~/.claude/commands curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/audit.md \ -o ~/.claude

External Script Fetching

Low
Category
Supply Chain
Content
One line:

```bash
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash
```

Or manually:
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Global (all projects)
mkdir -p ~/.claude/commands
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/audit.md \
  -o ~/.claude/commands/audit.md

# Project-level (this repo only)
Confidence
88% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/audit.md \ -o ~/.claude/commands/audit.md # Project-level (this repo only) mkdir -p .claude/commands curl -fsSL https://raw.g

External Script Fetching

Low
Category
Supply Chain
Content
## Install

```bash
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash
```

Or manually copy one file to `~/.claude/commands/audit.md`.
Confidence
98% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
One line:

```bash
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash
```

Or manually:
Confidence
99% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
## Install

```bash
curl -fsSL https://raw.githubusercontent.com/atobones/claude-audit/main/install.sh | bash
```

Or manually copy one file to `~/.claude/commands/audit.md`.
Confidence
99% confidence
Finding
| bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.