Security audit

Tribunal Install

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed setup guide for a third-party Claude Code quality tool, with project configuration changes that match its stated purpose.

Install this only if you want Tribunal to change the project's Claude Code configuration and run ongoing quality hooks. Prefer pinning or reviewing the third-party Tribunal package before use, and inspect `.claude/tribunal.json` and `.claude/settings.json` after initialization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes a one-line command that installs a package from a remote registry and immediately performs project initialization that writes or modifies files, but it provides no warning, confirmation step, or explanation of side effects. In an agent context, this increases the chance of unattended supply-chain exposure and unintended repository changes, especially if the command is copied or executed automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal