Back to skill

Security audit

Claude Code Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful Claude Code controller that can run commands, edit files, and keep autonomous sessions, but it exposes more authority and ambient secrets than users may expect.

Install only if you intend to give this skill Claude Code-level control over selected projects. Use plan or default permission modes for sensitive work, avoid bypassPermissions/skip-permissions, restrict allowed tools and added directories, run it with a minimal environment that does not contain unrelated secrets, use only trusted and pinned MCP servers, keep backend URLs local or controlled by you, and stop persistent sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes capabilities with security significance—network access, environment interaction, and MCP-mediated tool control—without declaring permissions up front. That creates a transparency and policy-enforcement gap: users or host platforms may grant or run the skill without understanding that it can reach external/local services and indirectly execute powerful operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose understates the full behavior surface: beyond MCP control, the skill references persistent session/history handling and direct HTTP communication with a backend API. This mismatch is dangerous because operators may trust the stated narrow purpose while the skill actually supports broader data retention and service interaction that materially changes its risk profile.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client spawns an MCP server process and forwards nearly the entire parent environment into it via `process.env`, only excluding undefined values. In this skill's context, the spawned server is explicitly empowered to execute commands and access files, so inheriting secrets such as API keys, cloud credentials, tokens, and CI secrets materially increases blast radius if the server is compromised, malicious, or simply over-privileged.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly documents a `bypassPermissions` mode that skips all prompts, which materially lowers safety barriers for a tool that can run shell commands and read/write files. In this skill's context, that makes unintended or unsafe system actions much easier, especially when driven by an LLM or multi-agent workflow, so the lack of a strong warning and usage constraints is a real security concern.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README demonstrates direct `Write` capability without clearly warning users that the tool can modify arbitrary local files. Because this skill is specifically designed to control coding tools programmatically, normalizing write operations without caution increases the risk of accidental file corruption, overwriting sensitive paths, or unsafe automation behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation prominently encourages shell execution, file modification, autonomous tool use, and multi-step agent workflows, but it does not present an upfront warning that these actions can change the local system, repository contents, or sensitive files. In practice, users may invoke examples directly and unintentionally authorize destructive or privacy-impacting operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The CLI exposes high-risk options such as skipping permissions, replacing system prompts, broad tool allowlists, and adding extra accessible directories, but relies only on terse option descriptions to communicate danger. In a skill specifically designed to control Claude Code programmatically, these flags materially weaken safety boundaries and make accidental unsafe execution more likely, especially when invoked by higher-level agents or automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `bash` command forwards arbitrary shell commands to the backend with no confirmation, allowlist, sandboxing, or user-facing safety barrier. Because this skill's purpose is remote programmatic control of Claude Code, exposing direct command execution substantially increases the risk of destructive actions, credential theft, or host compromise if the CLI is misused by an agent, script, or attacker.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Sensitive environment variables are propagated to the child MCP server without any user-facing warning, consent, or visibility into what secrets are being exposed. Because this skill is designed to control external MCP servers programmatically, this omission is especially dangerous: a user may believe they are only granting MCP tool access while actually disclosing all ambient credentials from the host environment.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# With permission mode (plan = preview changes before applying)
claude-code-skill session-start review -d ~/project --permission-mode plan

# With tool whitelist (auto-approve these tools)
claude-code-skill session-start safe -d ~/project \
  --allowed-tools "Bash(git:*),Read,Glob,Grep"
Confidence
90% confidence
Finding
auto-approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.ts:9