Back to skill

Security audit

Claude Code API Optimizer Skill

Security checks across malware telemetry and agentic risk

Overview

This instruction-only token optimizer is coherent and low-risk, but users should understand that it may save selected conversation facts into local memory files.

Install only if you are comfortable with selected conversation facts being saved locally and possibly processed by a secondary model. Avoid using it with secrets, regulated data, or confidential projects unless you define where memory files live, who can read them, how long they are retained, and how to delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs agents to extract and persist user-related information such as preferences, expertise, corrections, goals, deadlines, and external references into long-lived memory files, but provides no consent, minimization, retention, access control, or privacy safeguards. In practice, this can cause unnecessary storage of personal or sensitive conversational data across sessions, increasing the risk of privacy violations, over-collection, and unintended disclosure if those memory files are later reused or exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.