Claude Code Agent
Security checks across malware telemetry and agentic risk
Overview
The skill matches its MCP and state-sync purpose, but it can start configured tool servers and pass them the agent’s environment secrets, so it needs careful review before use.
Install only if you trust the package and every MCP server you configure. Pin server versions, restrict filesystem roots and account tokens, run with a minimal environment, and require confirmation before adding servers or executing high-impact MCP tool calls.
VirusTotal
57/57 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised MCP server could access local environment secrets that were not meant for it.
Every MCP server child process receives the caller's full environment plus any configured env values. Environment variables often contain API keys or tokens, so any configured server can inherit more credentials than its specific purpose requires.
env: { ...Object.fromEntries(Object.entries(process.env) ...), ...(config.env || {}) }Run MCP servers with a minimal environment, pass only the specific tokens each server needs, and avoid configuring untrusted servers while sensitive env vars are present.
A bad or overly broad MCP server configuration could give the agent access to local files, repositories, or external accounts through tool calls.
Adding a new MCP server makes it active by default and initializes it from a caller-provided ServerConfig. The artifacts do not provide built-in allowlists, approval checks, or scope limits for what the resulting tool server may do.
if (isNewServer && !config.status) { config.status = "active"; } ... await initializeSingleClient(clientId, config);Only add trusted MCP servers, keep filesystem roots narrow, require user confirmation for new servers and high-impact tool calls, and review the generated mcp_config.json.
Future or compromised package versions could run with the agent's local privileges if used in a live config.
The example MCP configuration uses npx -y without a pinned package version, which can download and run current npm package code at runtime. This is common MCP plumbing but depends on external package provenance.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/directory"]
Pin MCP server package versions, use lockfiles or vetted internal mirrors where possible, and verify npm packages before enabling them.
Private conversation or session state may stay on the device and later influence future agent context if the application stores it there.
The storage adapter persists state in IndexedDB with localStorage fallback, matching the stated state persistence purpose. Persisted chat/session data can remain available to future sessions.
const value = (await get(name)) || localStorage.getItem(name); ... await set(name, value);
Store only data you are comfortable retaining, clear local state when needed, and do not merge session data from untrusted sources.