Back to skill

Security audit

Claude Code All-in-One for arkclaw

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Claude Code installer/runner, but it persistently stores API keys and can automatically run a file-modifying shell-capable coding agent with limited user confirmation.

Install only if you are comfortable with this skill modifying your home-directory Claude configuration, writing API keys to local files including ~/.bashrc, validating keys against the configured provider, and running Claude Code in a mode that may edit files and execute shell commands. Prefer explicit review mode for analysis, and remove stored keys/config files if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs execution of multiple shell scripts and CLI commands, yet no explicit permission declaration is present. That mismatch weakens user and platform visibility into what the skill can do, increasing the chance of unexpected command execution without informed consent.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The description promises usability without an Anthropic API key, but the workflow still depends on either injected platform credentials or alternate provider keys. This is a security-relevant trust issue because it obscures credential consumption and may cause users to unknowingly rely on hidden environment secrets.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims secrets will not be printed to logs or stdout, but it explicitly asks users to paste keys into chat and passes keys on shell command lines such as setup scripts. Chat transcripts, process arguments, shell history, and telemetry can expose those secrets despite the stated guarantee.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it is for installing/configuring Claude Code, but this script is a general-purpose execution wrapper that accepts arbitrary user requests and routes them into review or build workflows. That expands the skill's operational scope beyond setup into delegated task execution, which increases the chance of unsafe command execution, file modification, and misuse under the guise of an installation skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
In build mode, the script grants Claude shell execution plus write/edit capabilities (Bash, Edit, Write), enabling arbitrary command execution and filesystem changes based solely on the user prompt. In the context of a skill advertised as an installer/configurator, this is overprivileged and dangerous because a user may not realize the skill can actively modify the workspace or run shell commands.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger scope is very broad, covering common requests like code review, code rewriting, model switching, and even general mention of Claude Code. That makes accidental invocation more likely, which is dangerous here because the skill can install software, alter configuration, consume environment credentials, and run shell commands.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The natural-language examples are vague enough that routine developer requests could activate the skill unintentionally. In this context, accidental activation is especially risky because the documented behavior includes environment inspection, onboarding changes, script execution, and possible file modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises a 'build mode' with Read/Edit/Write/Bash capability but does not provide a prominent user-facing warning that it can modify files and execute shell commands. Users may believe they are requesting analysis while the skill defaults into an action-taking mode with side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to paste a sensitive AgentPlan key directly into a setup flow while the same file later discloses that the key will be stored persistently in ~/.bashrc and ~/.claude/.token. Although the storage behavior is documented near the end, it is not presented as a clear warning at the point of collection, so users may disclose credentials without informed consent about persistence and recovery behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The custom gateway flow asks users to provide base_url, API key, and model, and states that setup-custom.sh will probe the supplied endpoint and modify local configuration. Because this behavior is disclosed only after the collection instructions, users may not realize their key will be used in an outbound request and that settings files will be overwritten or backed up, creating a risk of unintended credential transmission and persistent configuration changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The helper persists a supplied secret into ~/.bashrc, which stores the credential long-term in a broadly read startup file and exposes it to accidental disclosure through shell history inspection, backups, dotfile syncing, support bundles, or later terminal output. In this skill's context, the value is an API key, so writing it into a login script without explicit disclosure/consent meaningfully increases secret exposure and persistence risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The validation function transmits the provided API key in an Authorization header to a remote endpoint, which is a real security-sensitive action if done without clear user disclosure because it leaks the secret to the configured service and any intermediaries or logs associated with that request. Although this appears intended as a connectivity/auth check, the skill context is credential setup for a third-party CLI, so silently making network calls with the key expands the trust boundary and may surprise users.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The script appends to ~/.bashrc automatically, creating persistence in the user's shell environment without an explicit opt-in at execution time. In this specific installer context the change is limited to adding an npm global bin directory to PATH, so it is not overtly malicious, but silent shell-profile modification can surprise users and can become risky if the appended path later contains untrusted executables.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically selects build mode unless review keywords are detected, and build mode enables write-capable and shell tools without a prominent user-facing warning or confirmation. This creates a consent and safety problem: benign-sounding requests may unexpectedly result in code changes or shell execution, especially given the skill's setup-oriented description.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists a sensitive API key into ~/.bashrc and ~/.claude/.token, creating long-lived local secret copies without an explicit interactive warning or confirmation at the point of modification. In a sandboxed agent skill, users may expect temporary use of a managed secret, not durable persistence into shell startup files and app config state, which increases accidental disclosure and reuse risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
In --auto mode, the script silently consumes ARK_API_KEY from the environment and later persists it locally, but does not clearly disclose at runtime that a managed sandbox secret will be copied into user-controlled files. This can violate user expectations about secret handling boundaries and turn a transient injected credential into a persistent credential on disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists the provided API credential to long-lived user locations including ~/.bashrc and ~/.claude/.token without an explicit upfront warning or consent gate about storage side effects. This increases the chance of accidental credential exposure through shell startup files, backups, dotfile sync, or later local compromise, especially because --auto mode can silently take a sandbox-injected key and make it persistent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically extracts sensitive API keys from environment variables or ~/.bashrc and writes them into ~/.claude/.token during profile switching, without any user confirmation or validation. In a shared, misconfigured, or unexpected execution context, this can silently persist credentials to disk and broaden their exposure beyond the original environment-only scope.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to return Claude/tool output verbatim. Because the workflow handles configuration state, logs, errors, and user-supplied credentials, verbatim return can leak secrets, file paths, tokens, or sensitive environment details back into chat.

Ssd 3

Medium
Confidence
90% confidence
Finding
The workflow directs users to provide API keys conversationally and then stores them locally as part of normal operation. This increases the attack surface because secrets may be exposed through chat retention, local file compromise, backups, or later tooling that reads those files.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persisting user keys in multiple files such as shell rc files, token files, and profile JSONs broadens the number of places from which credentials can be recovered. In a tool-enabled sandbox, this makes accidental disclosure, exfiltration, or reuse more likely during normal debugging and file operations.

Session Persistence

Medium
Category
Rogue Agent
Content
cc_log "超时: ${TIMEOUT_SEC}s"

# --- 启动: nohup setsid + </dev/null + log file ---
# setsid 把 claude 放进新会话,完全脱离任何可能的 controlling tty
# </dev/null 把 stdin 接到 /dev/null,claude 不会读到任何东西
# >$LOG_FILE 2>&1 把所有输出落盘
nohup setsid claude "${CLAUDE_ARGS[@]}" </dev/null >"$LOG_FILE" 2>&1 &
Confidence
86% confidence
Finding
setsid

Session Persistence

Medium
Category
Rogue Agent
Content
# setsid 把 claude 放进新会话,完全脱离任何可能的 controlling tty
# </dev/null 把 stdin 接到 /dev/null,claude 不会读到任何东西
# >$LOG_FILE 2>&1 把所有输出落盘
nohup setsid claude "${CLAUDE_ARGS[@]}" </dev/null >"$LOG_FILE" 2>&1 &
CLAUDE_PID=$!

cc_log "Claude PID: $CLAUDE_PID"
Confidence
87% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
# setsid 把 claude 放进新会话,完全脱离任何可能的 controlling tty
# </dev/null 把 stdin 接到 /dev/null,claude 不会读到任何东西
# >$LOG_FILE 2>&1 把所有输出落盘
nohup setsid claude "${CLAUDE_ARGS[@]}" </dev/null >"$LOG_FILE" 2>&1 &
CLAUDE_PID=$!

cc_log "Claude PID: $CLAUDE_PID"
Confidence
87% confidence
Finding
setsid

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.