Back to skill

Security audit

use-claudecode

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Claude Code wrapper, but it gives an agent broad local command and file-changing authority while bypassing normal permission prompts.

Install only if you intentionally want an agent to run Claude Code locally with broad command execution and file modification authority. Use it only in trusted project directories, avoid shells with sensitive environment variables, prefer fresh sessions for unrelated work, and consider removing `bypassPermissions` or adding explicit approvals and path restrictions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.name == 'nt':
                ps_cmd = " ".join(cmd)
                full_ps_cmd = f"[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; {ps_cmd}"
                result = subprocess.run(
                    ["powershell", "-Command", full_ps_cmd],
                    capture_output=True,
                    text=True,
Confidence
96% confidence
Finding
result = subprocess.run( ["powershell", "-Command", full_ps_cmd], capture_output=True, text=True, encodi

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timeout=600 
                )
            else:
                result = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
Confidence
89% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding='utf-8', erro

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes shell and environment-affecting capabilities but does not declare permissions or constraints, leaving the agent and user without a clear security boundary. In this context, the tool is explicitly intended to modify files, run commands, and interact with a local CLI, so undeclared capabilities materially increase the chance of unsafe or surprising execution.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Documenting that the wrapper automatically uses Claude CLI with `--permission-mode bypassPermissions` means local actions can occur without interactive approval. Because this skill is designed for terminal execution and workspace modification, removing confirmations makes destructive filesystem changes, data exposure, or command abuse significantly easier.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill instructs the agent that it 'must' invoke this tool for a broad set of common coding and debugging requests, effectively pushing routine work into a powerful local shell wrapper. That broad trigger scope is dangerous here because the tool can modify files and execute commands, increasing the chance of unnecessary high-risk delegation and prompt-injection-mediated misuse.

Missing User Warnings

High
Confidence
95% confidence
Finding
The top-level description markets terminal execution, local environment modification, and token-limit bypassing without pairing those capabilities with clear safety warnings or consent expectations. In a skill meant for general agent use, advertising powerful local actions so casually normalizes risky behavior and can lead users or orchestrators to invoke it without appreciating the security impact.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The notes explicitly say the tool automatically bypasses permission prompts and that the agent need not worry about confirmation pauses. In context, this is especially dangerous because the skill's purpose is to let another model act through the local CLI, so bypassing confirmations removes a key safety barrier against unintended or malicious local actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code explicitly adds `--permission-mode bypassPermissions`, disabling the CLI's safety/approval controls while presenting a general-purpose interface for code generation, terminal execution, and environment modification. In this skill context, that greatly increases danger because any downstream prompt injection or misuse can immediately become unrestricted local action.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The tool description authorizes broad autonomous behavior including terminal execution, file modification, running tests, and deep codebase analysis, but it does not define meaningful trigger constraints, approval requirements, or safety boundaries. In a skill that exposes a local CLI sub-agent, this ambiguity can cause unsafe invocation for sensitive operations and expands the chance of destructive or unauthorized actions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Advertising the skill as a way to 'bypass token limits' encourages use of a subordinate local agent to evade normal model constraints without explaining user consent, logging, or policy controls. That framing is risky because it incentivizes routing large or sensitive tasks through a less governed execution path with filesystem and shell access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.