Back to skill

Security audit

Claude Code Agent

Security checks across malware telemetry and agentic risk

Overview

This MCP orchestration skill appears purpose-aligned, but it gives spawned tool servers broad command and environment access without enough scoping or privacy guidance.

Review before installing. Use this only with MCP servers you trust, avoid hardcoding real tokens in config files, and run it in an environment with minimal secrets. Prefer explicit per-server environment allowlists, upgrade the flagged dependencies, and confirm what session data is stored or synced before using it with sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The client spawns an MCP server subprocess and forwards nearly the entire parent process environment into it, only filtering out undefined values. Environment variables commonly contain API keys, cloud credentials, tokens, and other secrets, so any configured MCP server gains access to more sensitive data than is required for basic client connectivity. In the context of an agent skill that may connect to third-party or untrusted MCP servers, this materially increases the risk of credential theft and unintended privilege expansion.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The implementation of `mergeWithUpdate` contradicts its stated behavior and likely intended conflict-resolution policy. When `remoteState` is newer, it calls `merge(remoteState, localState)`, which causes older local values to overwrite newer remote values for overlapping fields, leading to stale or inconsistent state being preserved. In a sync utility, this can undermine integrity of user data, conflict resolution, and audit/update semantics.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README includes a plaintext `GITHUB_TOKEN` example directly in configuration without any warning to use environment-variable substitution, secret managers, or to avoid committing real credentials. While the token shown is a placeholder, this documentation pattern can normalize insecure secret handling and lead users to embed real tokens in files that may be checked into source control or exposed on disk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises persistent local storage, context recovery, and multi-device session synchronization but does not warn that chat histories, state, or sensitive prompts may be stored locally and merged across devices. In an AI assistant skill, this increases the chance that sensitive conversation data, tool outputs, or credentials are retained longer than expected or propagated to additional endpoints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes persistent local storage and multi-device session synchronization but provides no warning about storing sensitive prompts, tool outputs, tokens, or other user data. In an MCP/tool-orchestration context, persisted state can easily include secrets or sensitive workspace content, increasing the risk of unintended disclosure across devices or to other local users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration example embeds a GitHub token directly in a JSON config snippet without any warning about secure secret handling. This encourages users to place credentials in plaintext configuration files, which can be leaked via source control, logs, backups, or local compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The subprocess is created with the full parent environment and no apparent warning, consent boundary, or limitation. This means operators may unknowingly expose secrets from the host runtime to every MCP server process launched through this code, including user-specified or less-trusted servers. Because the file's role is just client connection management, this broad inheritance is unnecessary and dangerous.

Credential Access

High
Category
Privilege Escalation
Content
.filter(([_, v]) => v !== undefined)
          .map(([k, v]) => [k, v as string]),
      ),
      ...(config.env || {}),
    },
  });
Confidence
78% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
MCP (Model Context Protocol) integration for OpenClaw/Clawdbot. Use when you need to:
- Connect and orchestrate MCP tool servers (filesystem, GitHub, etc.)
- Persist state across sessions with IndexedDB/localStorage
- Sync sessions across multiple devices

Triggers: "MCP", "tool server", "sub-agent orchestration", "session sync", "state persistence", "Claude Code integration"
Confidence
88% confidence
Finding
Persist state across sessions

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.0.0

Known Vulnerable Dependency: zod==3.22.0 — 1 advisory(ies): CVE-2023-4316 (Zod denial of service vulnerability)

Low
Category
Supply Chain
Confidence
89% confidence
Finding
zod==3.22.0

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.