Claude Code Agent
Security checks across malware telemetry and agentic risk
Overview
This is a powerful Claude Code controller that can run commands, edit files, keep autonomous sessions, and expose environment secrets to configured MCP servers, so it needs careful review before use.
Only install this if you are comfortable giving it Claude Code-level authority over your projects. Use plan/default permission modes, restrict allowed tools, run it in a limited environment without extra secrets, trust and pin any MCP servers, avoid remote backend URLs unless you control them, and stop persistent sessions when finished.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A task given to this skill can run local commands and change files without per-operation confirmation if the user or agent starts it with broad permissions.
The skill exposes shell execution, arbitrary Claude Code tool calls, and file mutation, with a documented default that auto-accepts edits and an option to bypass prompts.
claude-code-skill bash "npm test" ... claude-code-skill call Write ... `acceptEdits` | Auto-accept file edits (default) ... `bypassPermissions` | Skip all prompts (dangerous!)
Use `plan`, `default`, or `dontAsk` modes for sensitive repositories; restrict `--allowed-tools`; set `--disallowed-tools`; and avoid `bypassPermissions` except in disposable environments.
If a configured MCP server is buggy or untrusted, it may be able to read API keys, cloud credentials, or other secrets from the user's environment.
Every configured MCP server process receives the full parent environment plus any per-server env values, so unrelated tokens or secrets in the user's shell can be exposed to MCP server code.
env: { ...Object.fromEntries(Object.entries(process.env) ...), ...(config.env || {}) }Run the skill with a minimal environment, only pass per-server tokens that are required, and use trusted MCP servers with least-privilege credentials.
A long-running session may keep acting on a project with the permissions it was given until paused or stopped.
Persistent autonomous sessions and agent teams are a core advertised feature; they are disclosed, but they can continue work across turns with retained context and tool permissions.
Use Persistent Sessions When: ... Agent needs to work autonomously ... Deploy multiple Claude agents working together on complex tasks.
Set budgets and max turns, check `session-status`, pause or stop sessions when done, and avoid granting broad tools to long-running sessions.
Following the examples can run whatever version of an MCP server package is current at install time.
The examples show MCP servers being fetched and run through npx without a pinned version; this is common MCP plumbing but depends on package provenance.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/directory"]
Pin MCP server package versions, review server source, and prefer trusted/local installations for high-privilege tools.
Old session context or untrusted project content may influence later actions if a session is resumed.
The skill intentionally preserves and resumes session context, which can carry prior prompts, code, and instructions into later tasks.
Persistent Sessions - Maintain context across multiple interactions ... session-history ... resume <session-id> "Continue"
Review session history before resuming sensitive work and start fresh sessions when context should not carry over.