Back to skill

Security audit

Claude Anywhere

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote Claude Code bridge, but it gives messaging users broad local file and command authority with weak scoping and persistence controls.

Install only if you intentionally want chat users to control Claude Code on this machine. Run it as a dedicated unprivileged user or container, restrict the working directory and bot membership, protect and rotate tokens, avoid sensitive hosts, review /sessions exposure, and disable or closely monitor /cron jobs unless unattended file and command actions are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The /sessions and /resume features enumerate sessions from ~/.claude/projects globally, then let any bridge user resume a matching session by prefix. That exposes unrelated local Claude histories and can leak prior prompts, assistant outputs, or context from other users/projects on the host, creating a cross-user/session isolation failure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises remote file read/write and command execution from chat platforms without any warning about host compromise, accidental destructive actions, or the need to restrict bot access. In the context of an agent skill that bridges messaging apps to a shell and filesystem, omission of safety guidance materially increases the likelihood of unsafe deployment and misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The session resume feature explicitly allows conversations to be retained and resumed across devices and platforms, but the README does not warn that prompts, code, files, and sensitive operational context may persist and become accessible from another linked channel. This creates a real privacy and access-control risk, especially for an AI agent used to manage code and servers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README presents natural-language scheduled tasks as convenient but does not warn that these jobs may run unattended later and can trigger impactful actions without live user review. For a tool that can execute commands and manipulate files, unattended execution materially raises the risk of delayed destructive or unauthorized actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises remote file writing and command execution through Telegram, WeChat Work, and QQ, but provides no warning about the possibility of destructive actions, data loss, or host compromise if the bot is misconfigured or accessed by an unauthorized party. In this context, the messaging-platform exposure makes the capability materially more dangerous because it turns high-privilege local actions into remotely triggerable operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell users to obtain and place bot tokens, app secrets, and other credentials into configuration without warning that these values are sensitive and can enable account takeover or unauthorized bot control if leaked. Because this skill bridges external messaging services to local automation, credential compromise could directly expose command execution and file access pathways.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bridge downloads user-supplied files to local disk and then instructs the downstream Claude agent to read/analyze them, but this file shows no user-facing notice, consent, or retention disclosure. In a messaging bridge that handles potentially sensitive enterprise documents, silent storage and forwarding increases privacy and compliance risk because users may not realize files are persisted in /tmp and processed by another component/service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code appends a machine identifier to a purchase URL and sends it to the user without any disclosure or explanation. Even if intended for licensing, embedding a persistent device identifier in a link can expose tracking data to the vendor and creates a privacy issue if users are unaware their environment is being fingerprinted.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code invokes the Claude subprocess with --dangerously-skip-permissions, explicitly disabling permission safeguards while advertising capabilities like file access, code management, and command execution. In this skill context, untrusted chat-originated input can reach a highly privileged agent, greatly increasing the chance of arbitrary file reads, writes, or command execution without meaningful runtime consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
checkQuotaRemote sends user_id and optionally license_key to a remote licensing service, but this file provides no explicit notice, consent, minimization, or protection guarantees for that transfer. This creates privacy and data-handling risk, especially when chat platform identifiers may be personally identifying and license keys are secrets.

Ssd 1

High
Confidence
94% confidence
Finding
The code interpolates raw user input directly into a privileged model prompt and then trusts the model's structured output to create scheduled tasks. An attacker can craft scheduling text that semantically overrides the parser's intent, causing the model to emit a malicious prompt or schedule that will later be executed automatically.

Ssd 3

High
Confidence
97% confidence
Finding
User-controlled prompts are persisted and later executed through Claude with --dangerously-skip-permissions, creating a delayed arbitrary-agent-action primitive. In the context of this skill, which explicitly supports file access, command execution, code management, and messaging integration, a benign-looking scheduled request can be used to read sensitive data and exfiltrate it via the result callback.

Credential Access

High
Category
Privilege Escalation
Content
const proc = spawn(this.claudePath, args, {
        cwd: this.claudeCwd,
        env: { ...process.env },
        stdio: ["pipe", "pipe", "pipe"],
      });
Confidence
89% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
core.mjs:649

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cron-manager.mjs:117

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bridge-qq.mjs:39

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bridge-telegram.mjs:28

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
core.mjs:322

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
license-client.mjs:38

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
core.mjs:393