Security audit

Claude Code Connector

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Claude Code bridge, but its real behavior depends on an unreviewed local shell script outside the submitted package.

Install only if you control and have inspected the referenced acp-bridge-claude.sh script. Treat anything you ask this skill to analyze as potentially forwarded to Claude Code through that bridge, and avoid secrets or private files unless that data flow is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are generic enough that normal user requests about Claude or asking Claude to handle something could activate this skill unintentionally. Because the skill forwards a free-form prompt to an external bridge script, accidental invocation could route sensitive context or tasks to another tool without clear user intent.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal