Back to skill

Security audit

Claude Code Supervisor

Security checks across malware telemetry and agentic risk

Overview

This supervisor skill has a coherent purpose, but it gives background scripts broad control over live coding sessions and sensitive terminal content without enough scoping or disclosure.

Review carefully before installing. Use only in trusted projects, inspect .claude-code-supervisor.yml and generated hooks, avoid remote LLM or webhook notification backends for sensitive repositories, and do not run the watchdog timer unless you accept automatic tmux input. Treat any project-local supervisor config as code that can execute commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs users to run shell commands and install hook scripts, but it does not declare permissions or explicitly surface that it has shell-executing capabilities. That omission reduces transparency for users and harnesses, making it easier to invoke a skill that modifies environment behavior and project automation without clear consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The notify command is loaded from configuration and executed as a shell command without validation, allowlisting, or separation of executable versus arguments. In the skill context, this means anyone who can influence the project or user config can cause arbitrary local command execution whenever notifications are sent, which exceeds the stated monitoring-only purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The triage command is fully configurable and receives prompt content over stdin, then is invoked as a shell command with additional arguments. A malicious repo-level config could replace the intended LLM client with any program, enabling arbitrary command execution and exfiltration of captured session content under the guise of triage.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The generated helper script directly embeds the configured notification command into a shell script, so any unsafe or attacker-controlled config becomes persistent executable code. This increases risk beyond one-time invocation because the dangerous command is written to disk and later run by the agent or user, potentially with modified arguments or additional shell metacharacter effects.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The watchdog is not purely observational: it injects keystrokes into a live tmux session based on parsed terminal state. Because the nudge message is configurable and is sent directly to an agent shell/CLI, this can alter execution flow, trigger unintended commands, or interfere with a sensitive session if the status detection is wrong or the configuration is attacker-controlled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes sending session events to a fast LLM and arbitrary notification backends, but it does not clearly warn users that terminal/session content and metadata may leave the local system. In this skill’s context, supervised agent sessions can contain prompts, code, file paths, secrets, or operational details, so the omission can lead to unintended external disclosure through both triage and notification commands.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The Quick Start instructs users to run an installer that creates project hook scripts and configuration files, plus a later step to create a state file under the user's home directory, but it does not prominently warn that local files will be written or modified. This is mainly a transparency and safety issue: users may alter repo and user state unintentionally, which is risky in environments where config changes trigger automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance recommends automatically answering permission prompts with 'y' when the action seems 'within safety bounds,' but it does not require explicit human confirmation or a robust policy for validating what is being approved. In a supervisory skill that monitors and nudges long-running coding sessions, this creates a real risk of authorizing file modifications, command execution, or other impactful actions based only on shallow pattern matching from terminal output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The hook forwards potentially sensitive runtime data (tool error text, current working directory, and session ID) to a separate triage process automatically and without any in-script disclosure, redaction, or consent gate. In this skill context, error messages and paths can easily contain secrets, repository names, usernames, or internal project details, so the data propagation expands the exposure surface beyond the original failing tool invocation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The hook forwards notification content, working directory, and session identifiers directly to another script for triage without any minimization, consent boundary, or visible disclosure. In a supervisor skill, notifications may contain sensitive prompts, file paths, or operational context, so this creates a real data-exposure path whose risk depends on what triage.sh does next.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The stop hook captures the last 30 lines of a tmux pane and forwards that content to triage.sh, which can expose sensitive data present in the terminal buffer such as source code, secrets, tokens, file paths, or user input. In this skill’s context, supervision and notification are the intended features, but the forwarding occurs automatically and without any visible consent or minimization in this file, increasing the risk of unintended data exfiltration to downstream logging, LLM triage, or notification backends.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
External notification commands are executed automatically with no user-facing disclosure that a repo or config file can trigger arbitrary local subprocesses. In this skill, that is more dangerous because monitoring hooks may run in the background, making execution less visible and increasing the chance users will not notice unsafe behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Prompt content is piped to an externally configured triage command without clear disclosure or consent, so session text may be sent to an unintended local tool or remote service. Because pane output can include code, errors, tokens, or sensitive workspace context, silent forwarding materially increases confidentiality risk in this supervision workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically sending input into a tmux session without explicit confirmation can cause the supervised agent or shell to execute unintended actions. In this skill's context, the session is long-running and autonomous, which makes silent intervention more dangerous because users may assume the monitor is passive while it is actually modifying behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script captures recent pane output and includes it in notifications, which can exfiltrate secrets, proprietary code, tokens, file paths, or other sensitive terminal content to external notification backends. This skill is specifically designed to forward events to harnesses/webhooks/ntfy, so the context increases risk because the captured output is likely transmitted off-host.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
fi
        else
          # Not idle — clear marker
          rm -f "/tmp/ccs-idle-${SESSION_NAME}"
        fi
      fi
    fi
Confidence
90% confidence
Finding
rm -f "/tmp/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.