Coding Agent (Claude Print + PTY Rules)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not malicious, but it normalizes delegated coding agents with permission bypasses, no-sandbox modes, background execution, and remote publishing steps that need careful review.

Install only if you intentionally want coding agents to operate on your projects with broad autonomy. Prefer sandboxed or approval-based modes, avoid --yolo and bypassPermissions in repositories containing secrets or deployment credentials, review diffs before any commit or push, and use temporary clones or worktrees for PR review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill tells delegated agents to execute an additional host-level command (`openclaw system event ...`) after completing their main task. This extends the agent's authority beyond coding work into orchestrator signaling, creating a command-execution bridge where untrusted prompt content can cause side-effectful actions on the host.

Vague Triggers

Medium

Confidence: 70% confidence
Finding: The invocation description is very broad and allows this powerful delegation skill to activate for many generic coding requests. Because the skill enables spawning external coding agents with permissive flags, overly loose routing increases the chance that risky behavior is invoked in situations where simpler, safer tooling would suffice.

Missing User Warnings

High

Confidence: 94% confidence
Finding: This section recommends autonomous workflows that can modify code, commit, push, and create PRs with minimal human review. In practice, this can propagate incorrect or malicious changes to remote repositories and CI systems, especially when combined with background execution and permissive agent modes.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The examples normalize permission bypass and auto-approval behavior as standard usage without a strong user-facing warning. That reduces safety barriers around file modification and tool use, making it easier for delegated agents to perform unintended or excessive actions in the project environment.

Ssd 1

High

Confidence: 97% confidence
Finding: The skill directs operators to use Claude Code with `--permission-mode bypassPermissions` as the normal execution path. This deliberately disables a key approval boundary, increasing the likelihood that the delegated agent can read, modify, or invoke tools in ways the user did not intend.

Ssd 1

High

Confidence: 98% confidence
Finding: The documentation promotes `--yolo` as a convenient mode for coding tasks even though it removes sandboxing and approvals. Running an autonomous coding agent without those controls can lead to unrestricted local changes, credential exposure, destructive commands, or unintended network/repository actions.

Ssd 4

Medium

Confidence: 93% confidence
Finding: The completion-notification pattern instructs the delegated agent to perform a follow-on command on the orchestrator's behalf. This creates an unsafe delegation chain where the child agent is empowered to trigger side effects outside its core coding task, which can be abused or accidentally altered by prompt injection or task output.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal