Sdd Dev Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate development automation skill, but it gives agents broad unattended authority to install software, approve prompts, run long sessions, and push code with too little user control.

Install only in a dedicated development workspace or container. Avoid bypassPermissions and dangerously-skip-permissions outside disposable sandboxes, disable or review automatic pip/apt installs, use least-privilege tokens, inspect scripts before running them, and manually review diffs, remotes, and secrets before any push or PR.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs users to execute shell commands, install packages, run git operations, and invoke local scripts, yet it declares no explicit permissions. This creates a transparency and consent failure: users or orchestrators may treat it as low-risk documentation while it actually drives code execution and system changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose frames the skill as a development workflow helper, but the behavior described includes autonomous tmux session control, permission bypassing, automated approval flows, repo mutation, local configuration inspection, and networked git/GitHub actions. This mismatch is dangerous because it obscures the real operational and trust boundary, increasing the chance the skill is invoked in contexts where such privileged automation is inappropriate.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The document explicitly authorizes automatic dependency installation (`pip install <package>`) as part of error handling during acceptance, which expands a verification step into an environment-mutating execution step. In this skill context, autonomous development agents may run these instructions on user workstations or CI environments, so unreviewed package installation can introduce supply-chain risk, execute arbitrary setup code, and make acceptance results non-reproducible.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document instructs running Claude Code with `--permission-mode bypassPermissions` and piping its output into a function that automatically executes `pip install` and `apt-get install` based on parsed error text. This creates an unsafe execution chain where untrusted tool output can trigger system-changing commands without confirmation, expanding the skill beyond documentation into unattended privileged package management.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: Although the text presents dependency handling as predictable, the provided automation later attempts installation of whatever command string appears in a `command not found` message. An attacker or malformed output could induce installation attempts for arbitrary package names, causing dependency confusion, unintended software installation, or abuse of system package managers.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script uses `source "$state_file"` on `/tmp/monitor-${session_id}.state`, which executes the file as shell code rather than parsing it as data. Because `/tmp` is world-writable, a local attacker who can create or modify that file can achieve arbitrary command execution in the context of whoever runs the monitoring script.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document instructs users to modify `~/.openclaw/openclaw.json` or use `gateway({ action: "config.patch" ... })` to grant `main` permission to spawn subagents, but it does not clearly warn that this expands execution authority and trust boundaries. Changing agent permissions can enable additional autonomous actions under the user's environment, increasing the risk of unintended code execution, persistence, or misuse by downstream tasks or compromised skills.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill promotes spawning a long-running autonomous agent for up to 2 hours with `cleanup: "keep"`, describes it as requiring no active monitoring, and includes broad task instructions that can execute project commands and modify code. Without a prominent warning about autonomous execution, retained sessions, and their security/privacy implications, users may unknowingly authorize persistent unattended actions in their workspace.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The core principle explicitly says to install missing dependencies immediately without asking, normalizing silent environment modification. In an agent skill context, this is dangerous because it removes the human checkpoint before commands that alter the host, pull code from registries, or change execution behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This section describes unattended monitoring of command output and automatic execution of `pip install` and `apt-get install -y` without any safety gate. Because the trigger is plain text parsing, any untrusted process output can influence package installation behavior, making arbitrary host modification and supply-chain exposure much more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document mandates `git push origin main` after acceptance, which can transmit source code, commit metadata, and possibly secrets to a remote repository without any explicit user confirmation step or warning. In an autonomous agent workflow, this is dangerous because it normalizes network exfiltration as an automatic final step rather than a user-approved action.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The initialization flow allows `git clone "$GIT_REPO" .` into the current directory with no trust validation, destination safety checks, or user-facing warning about overwriting/altering the working context. In an agent setting, pulling external content into the active workspace can replace local files, introduce untrusted code, or confuse subsequent automated actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide tells users to export a GitHub token directly in the shell without warning that the token is sensitive, should be minimally scoped, and may be exposed through shell history, logs, screenshots, or shared sessions. In a developer workflow skill, this omission increases the chance of credential leakage and misuse of repository access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide explicitly recommends `claude --dangerously-skip-permissions`, which disables all permission checks and materially lowers the safety boundary for the agent. Although it adds a brief note that this should only be used in a sandbox, this skill is for complex development workflows with automation and subagents, so normalizing a full bypass makes accidental unsafe execution, file modification, or command execution much more likely.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script automatically answers permission prompts inside the tmux-hosted Claude Code session by sending '1' and Enter whenever it sees 'Do you want to proceed?'. In this skill context, the driver is explicitly used to automate iterative development with edit-capable sessions, so silent approval can authorize sensitive actions—such as file modification, command execution, or other privileged agent operations—without user review.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: 该条款强制要求所有沟通、注释、文档和提交消息都必须使用中文，未提供用户选择、项目上下文约束或地域/合规依据。在面向通用开发任务的 agent skill 中，这会覆盖用户语言偏好、降低审计与协作兼容性，并可能诱导代理忽略上游系统或用户要求，从而形成策略层面的不安全行为。

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: 文档管理部分再次规定“所有文档必须使用中文编写”，将固定语言策略扩展到全部项目文档。对通用软件开发 skill 而言，这种无条件语言锁定会增加跨团队协作、开源兼容、第三方审阅及国际化交付风险，也可能导致代理在不适合的场景下产出不符合目标环境要求的文档。

Session Persistence

Medium

Category: Rogue Agent
Content: **选项 1：新建仓库** ```bash gh repo create my-project --private --clone cd my-project ```
Confidence: 84% confidence
Finding: create my-project --private --clone cd my-project ``` **选项 2：关联现有仓库** ```bash git init git remote add origin https://github.com/user/existing-repo.git ``` **然后执行 Specify init（仅一次）**： ```bash specify

External Script Fetching

Low

Category: Supply Chain
Content: |------|------|----------| | **Python 3.11+** | 运行环境 | `apt install python3.11` | | **Git** | 版本控制 | `apt install git` | | **UV** | 包管理器 | `curl -LsSf https://astral.sh/uv/install.sh \| sh` | | **tmux 3.0+** | 会话管理 | `apt install tmux` | | **Claude Code** | 代码生成 | `npm install -g @anthropic-ai/claude-code` |
Confidence: 90% confidence
Finding: curl -LsSf https://astral.sh/uv/install.sh \| sh

External Script Fetching

Low

Category: Supply Chain
Content: ```bash # 安装 curl -LsSf https://astral.sh/uv/install.sh | sh # 验证 uv --version
Confidence: 90% confidence
Finding: curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: ```bash # 安装 curl -LsSf https://astral.sh/uv/install.sh | sh # 验证 uv --version
Confidence: 88% confidence
Finding: | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal