Security audit

Claude Code Team Scaffold

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Claude Code workflow scaffold, but it needs review because it installs persistent hooks, writes global Claude memory, and can surface prior session text.

Install only if you want this project to use persistent Claude Code hooks and memory. Review the generated .claude/settings.json, the ~/.claude files it will create or append, and consider disabling prompt-preview logging or session-catchup if your Claude sessions may contain secrets or proprietary content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill declares broad project scaffolding behavior but does not explicitly declare permissions despite describing capabilities to read files and use environment/global state. This weakens user consent and reviewability, because a user may invoke the skill without understanding that it will inspect local files and home-directory Claude state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is scaffolding, but the described behavior extends into executing local tools, inspecting git state, parsing prior Claude session transcripts, and enforcing completion gates. That mismatch is dangerous because users may grant trust for project initialization while the skill also performs privacy-sensitive reads and potentially disruptive command execution not clearly disclosed in the top-level description.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly initializes or appends to global user-level Claude files under ~/.claude, which affects behavior across projects and persists beyond the target repository. Modifying global configuration from a project-scaffolding skill is risky because it can change future agent behavior, expose private cross-project memory, and create hard-to-audit side effects outside version control.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The command logic says dependency failures must stop execution, but the later error-handling text tells the agent to ask whether to wait or proceed anyway. In a task-execution scaffold, this inconsistency weakens workflow safety guarantees and can lead operators or downstream agents to bypass prerequisite work, causing incorrect, incomplete, or unsafe code changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description does not clearly warn that it will modify both repository files and user home-directory Claude configuration. This is a transparency and consent problem: users may reasonably expect project-local scaffolding only, while the skill introduces persistent changes outside the repo.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises persistent memory and audit logging but does not provide an explicit privacy/integrity warning about what data is stored, where it is stored, and how long it persists. In context, the learning loop and session logging can accumulate sensitive development details and cross-session context that users may not intend to retain.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Allowing execution to continue when required dependencies are incomplete undermines sequencing controls that the task system is supposed to enforce. In this skill's context, tasks dispatch code-writing subagents against project modules, so bypassing dependency completion can introduce inconsistent architecture, missing assumptions, broken tests, or security regressions without a strong warning barrier.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This hook captures part of the subagent prompt and writes it to a session audit log without any evidence of consent, redaction, or sensitivity checks. Prompts in an AI development workflow can contain secrets, proprietary code, credentials, internal URLs, or sensitive task details, so even a 200-character preview may leak confidential data into logs that are retained or broadly accessible.

Agent Config Directory Access

High

Category: Agent Snooping
Content: # Claude Code Hooks 配置笔记 - 文档：https://docs.claude.com/en/docs/claude-code/hooks - 配置位置：`.claude/settings.json`（项目级）或 `~/.claude/settings.json`（用户级） - 事件名（PascalCase）：`SessionStart`, `PreToolUse`, `PostToolUse`, `Stop`, `SubagentStart`, `SubagentStop` - Hook 脚本接收 camelCase JSON via stdin：`session_id`, `transcript_path`, `cwd`, `hook_event_name`, `tool_name`, `tool_input` - **阻断决策**：stdout 输出 `{"decision": "block", "reason": "..."}`（PreToolUse / Stop）
Confidence: 90% confidence
Finding: ~/.claude/settings.json

Context Leakage

High

Category: Data Exfiltration
Content: def extract_messages_after(messages: List[Dict], after_line: int) -> List[Dict]: """Extract conversation messages after a certain line number.""" result = [] for msg in messages: if msg['_line_num'] <= after_line:
Confidence: 92% confidence
Finding: Extract conversation

Hidden Instructions

High

Category: Prompt Injection
Content: ### 模块划分   ## 安全合规
Confidence: 70% confidence
Finding:   ## 安全合规 - 禁止硬编码敏感信息（密码、密钥、token、连接串）— 用环境变量 - 日志脱敏：用户邮箱、手机号、密码、身份证字段不写日志 - 所有外部输入必须校验（pydantic / zo

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal