Back to skill

Security audit

Coding PM

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent coding-project manager, but it asks for broad filesystem access and runs a background coding agent with permission prompts disabled.

Install only if you are comfortable with a background Claude Code agent modifying a git worktree with permission prompts disabled and broader local filesystem access. Use it in an isolated checkout, container, VM, or restricted user account; avoid repositories containing secrets; do not paste credentials into feedback; review plans and diffs carefully; prefer pause over cancel when preserving work matters; and re-enable workspace-only filesystem restrictions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The prompt instructs the agent to invoke an external command (`openclaw system event`) and, on failure, write a local marker file to signal state to a supervisor. That creates an outbound signaling and persistence side channel not essential to code-editing itself, and because the command interpolates task text into a shell invocation, it expands the skill's operational surface beyond its stated project-management role. In this skill context, supervisor wake-ups are related to orchestration, but they still increase risk because they enable external effects and filesystem state changes from prompt instructions alone.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `/task cancel` flow performs irreversible cleanup (`worktree remove` and `branch -D`) immediately after killing the agent, but the skill does not require a confirmation prompt or warn the user that unmerged changes may be lost. In a multi-task background workflow, this creates a realistic risk of accidental data loss from a typo or misunderstood task state.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs verbatim relay of user feedback and answers into the background coding agent, which can unnecessarily disclose secrets, credentials, internal URLs, or other sensitive text the user includes. Because the relay goes to a separate agent session with broad permissions and possible network access, the exposure surface is meaningfully expanded.

Ssd 3

Low
Confidence
76% confidence
Finding
The instruction to store task context in conversation memory includes session IDs, branch names, worktree paths, and phase state without any retention limit or minimization guidance. While not directly exploitable on its own, persistent storage of operational metadata can increase exposure of sensitive workflow details if memory is later surfaced or reused unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.