claude-code (Deprecated alias)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Claude Code task orchestrator, but it needs Review because it runs long-lived coding agents with permission prompts disabled and broad shell access.

Install only if you intentionally want Claude Code jobs that can edit files and run commands without per-action approval. Use it in a clean, backed-up, isolated worktree or container, avoid sensitive prompt/reference files, do not pass untrusted labels, paths, SSH hosts, or lint/build commands, and monitor or stop tmux sessions you no longer need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly instructs the agent to execute shell commands, manage tmux sessions, and invoke local scripts, yet it declares no permissions. That mismatch weakens security review and user understanding because powerful execution capability is hidden behind an apparently lower-trust interface.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior understates the actual operational scope: the skill can apparently interact with remote hosts, transfer files, run repo validation commands, persist state, and perform reconciliation beyond simple task orchestration. This kind of description-behavior mismatch is dangerous because reviewers may approve it for a narrow purpose while it retains broader execution and data-movement powers.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script launches Claude with `--dangerously-skip-permissions`, explicitly disabling an important safety boundary while also handing it a task prompt that can include shell commands, file operations, reporting, and optional remote-host actions. In the context of an automation skill designed to run development work autonomously in tmux and over SSH, this materially increases the chance of unintended or prompt-influenced destructive actions without runtime approval.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The workflow explicitly launches Claude with `--dangerously-skip-permissions`, which disables an important safeguard layer while the model is being asked to perform coding tasks through shell-accessible automation. In this context, that meaningfully increases the chance of unintended file changes, command execution, or broader workspace impact without an explicit informed-consent warning to the user.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The rules direct operators to inspect and restart sessions and to kill stale Claude processes, which are destructive process-management actions. Without an explicit warning, confirmation step, or scope limitation, this can terminate the wrong process/session, disrupt active work, or cause data loss in a shared or misidentified environment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script executes values from --lint-cmd and --build-cmd using command substitution, so any caller-controlled string is run by the shell in the current working directory with the script's privileges. In this skill's context, those arguments are explicitly exposed as configurable task inputs for development automation, which makes command injection and unintended code execution more dangerous because the agent may pass through untrusted or loosely reviewed values.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script captures the last lines of a tmux pane and emits them in output/JSON, which can expose secrets, credentials, proprietary code, or other sensitive terminal content to downstream consumers. Because this skill is specifically designed to make task progress observable, the context increases the likelihood that sensitive in-session output will be surfaced beyond the original terminal boundary.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script copies the prompt/reference file and generated prompt content to `/tmp`, may transfer them to a remote SSH host via `scp`, and then injects their contents into an external Claude process, all without explicit disclosure or consent checks in the script. Because task and prompt files may contain proprietary code, secrets, or sensitive instructions, this creates a real data exposure risk that is amplified by the skill’s remote-execution and automation focus.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal