Back to skill

Security audit

Claude Dev Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it routinely gives agents access to your Claude OAuth token and tells them to run Claude Code with permission prompts disabled.

Install only if you intentionally want agents to operate Claude Code under your account. Avoid adding token extraction to shell profiles, avoid exposing OAuth tokens in command strings or logs, remove --dangerously-skip-permissions from default workflows, and require explicit user approval before background Claude Code tasks run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill repeatedly instructs agents to read a long-lived OAuth token from a local credentials file and inject it into commands for routine operation. That expands the skill from setup guidance into credential-access behavior, normalizes secret handling by agents, and increases the chance of credential disclosure through logs, inherited environments, or downstream tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation normalizes use of --dangerously-skip-permissions for standard Claude Code tasks, despite the skill being framed as setup and session management. This bypasses interactive safety gates and can allow unintended file modification, command execution, or broader system actions without review.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to read a local OAuth credential file and inject the extracted access token into shell commands. That exceeds the stated session-management purpose and creates a direct credential theft and reuse path, allowing unauthorized API use and possible account compromise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The repeated use of `--dangerously-skip-permissions` directs the agent to bypass Claude Code's permission safeguards by default. Embedding this in normal task execution weakens security boundaries and enables file/system actions without expected user approval.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill tells users to export an OAuth token from disk into the shell environment and even persist it in shell startup files. This creates multiple exposure paths including shell history, process environments, child processes, debug logs, and accidental disclosure during troubleshooting.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file repeatedly recommends --dangerously-skip-permissions but does not explain that it disables permission checks and safety prompts. In a skill intended for broad reuse, omission of that warning materially increases the chance that users will run high-risk commands as a matter of routine.

Missing User Warnings

High
Confidence
98% confidence
Finding
These instructions expose a sensitive OAuth token from a local credentials file and reuse it in commands without warning, masking a secret-handling operation as routine setup. This can leak credentials into process tables, logs, shell history, or downstream tooling and permits misuse of the token.

Missing User Warnings

High
Confidence
97% confidence
Finding
The command examples normalize use of `--dangerously-skip-permissions` while giving no user-facing warning that safety checks are being bypassed. This makes risky execution appear standard and increases the chance of unreviewed destructive or privacy-invasive actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The status-check instructions use broad natural-language triggers like "what's the status?" and "is it done?" without clearly tying them to a specific tracked session or requiring confirmation. In an agent setting, this can cause unintended access to background process logs or task metadata when ordinary conversation is misinterpreted as a command.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to append, update, and delete records in `~/memory/claude-code-sessions.md`, which is a persistent file in the user's home directory, but provides no user-facing notice or consent mechanism. That creates a risk of silent state modification, persistence, and cleanup actions affecting user data outside the immediate task context.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions repeatedly direct the agent to read a local OAuth credential and use it in command execution and environment setup. Teaching an agent to access secrets from disk as a normal workflow is dangerous because it broadens secret exposure and enables misuse if the agent or surrounding tooling is compromised.

Ssd 3

High
Confidence
99% confidence
Finding
The AGENTS.md template embeds a standing rule that agents should always extract the OAuth token from disk before running tasks. That turns unsafe credential access into durable operational policy, increasing the blast radius beyond this single skill and propagating insecure behavior to other agents and future sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The skill tells the agent to read a local credential store and reuse the extracted OAuth token in subsequent commands. That is a direct secret-access pattern unrelated to benign session tracking and materially increases the risk of credential exfiltration and unauthorized account activity.

Context Leakage

High
Category
Data Exfiltration
Content
// Returns: sessionId: "tender-nexus" or similar
```

**After starting:** Immediately log the session to this file:
```
| tender-nexus | refactor-auth | Refactor auth module | 2026-03-24 08:50 UTC | running |
```
Confidence
89% confidence
Finding
log the session

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.