Back to skill

Security audit

Claude Code Wingman

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Claude Code orchestration tool, but it also automates trust and permission approvals in ways that can let coding agents take high-impact actions with too little human review.

Install only if you intentionally want remote Claude Code orchestration and understand that approval prompts may be automated or handled through WhatsApp. Avoid using auto or always approvals on sensitive repositories, production systems, or sessions with secrets; prefer manual review, restrict target directories, and review webhook and /tmp state handling before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (56)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly directs the agent to invoke shell scripts, tmux commands, and external GitHub-hosted tooling, yet it declares no explicit permissions or safety boundaries. This creates a capability mismatch where operators may underestimate that the skill can execute commands and interact with networked/local resources, increasing the chance of unsafe deployment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The changelog documents an auto-approver that handles approval and trust prompts automatically, which is a materially sensitive capability not reflected in the stated skill purpose of orchestration and monitoring. Auto-approving safety gates can let dangerous actions proceed without informed user consent, especially when the underlying agent can run commands or access files across projects.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The documented 'zero intervention' and automatic trust/approval handling significantly expand the skill's effective behavior beyond simple session orchestration and monitoring. In this context, the mismatch hides that the skill can bypass human review checkpoints, increasing the chance of unsafe remote operations or unintended access across multiple tmux-managed sessions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This script automatically approves trust and permission prompts in a tmux session, which bypasses a core security boundary intended to require explicit human consent. In the context of a tool that orchestrates multiple Claude Code sessions, this is especially dangerous because it can silently grant broader access across projects or sessions without the operator noticing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script unconditionally approves any prompt containing 'Do you trust' by sending Enter to the tmux session, based only on fragile text matching. In this skill's context, that trust decision can weaken later safeguards and allows a prompt shown inside the monitored session to trigger privileged approval without human review.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
These research notes explicitly explore ways to remove or bypass Claude Code's interactive approval mechanism, including pre-populating approvals and programmatically responding to prompts. In the context of a skill that orchestrates multiple sessions remotely, this weakens a core safety control and enables actions to proceed without informed human confirmation.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The notes acknowledge that official configuration does not disable security prompts, then document a successful workaround that auto-approves prompts by driving the TUI. This is dangerous because it intentionally circumvents a built-in safeguard and converts a consent gate into an unattended action path.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The changelog presents fully hands-off approval handling as a feature without warning users that approval prompts exist to prevent unsafe execution and trust elevation. Suppressing or automating those prompts can cause users to unknowingly authorize file access, command execution, or environment changes that would normally require deliberate review.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically approving SSH-related operations without human intervention is especially risky because remote commands can modify systems, access secrets, or affect production infrastructure. Documenting this as successful behavior without warning normalizes a workflow that defeats a key safety barrier for sensitive remote operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes an `--auto` mode that disables approval prompts for an agent capable of editing files and taking actions in development environments, but it does not warn users about the risks of unattended execution. In this skill's context—remote orchestration of Claude Code sessions from WhatsApp and tmux—removing human approval materially increases the chance of unintended code changes, destructive commands, or misuse if the chat channel or bot is compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to immediately execute approval actions from terse WhatsApp messages like 'approve <session>' and then return the result, without requiring verification of the pending tool call or displaying the actual action being approved. Because approvals can authorize destructive shell commands in another session, a spoofed, mistaken, or context-free message could grant dangerous execution with minimal human review.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly states that an auto-approver will handle permission prompts and auto-approve all 'Do you want...' prompts for the project/session. That removes an important human safety checkpoint and can let Claude Code perform sensitive actions in the workspace without meaningful review, while the documentation provides no warning about the security implications.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script approves irreversible trust/permission prompts without any user confirmation, warning, or verification of the exact prompt contents. That means a loosely matched string like "Do you trust" or "Do you want" can trigger unintended approval of sensitive actions, undermining the safety model of the underlying tool.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script automatically accepts a Claude Code trust prompt by sending Enter when it sees 'Do you trust', without confirming the repository identity or warning the user. Trust approval can relax safety boundaries for the session and, in this orchestration context, enables unattended execution against an arbitrary working directory, making downstream tool use or code changes more dangerous.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The help text advertises '--auto' as 'Auto-approve all prompts' but does not clearly warn that this enables unattended approval of potentially sensitive actions. In a tool designed to orchestrate agent sessions, lack of an explicit warning materially increases the chance that users enable unsafe autonomous behavior without understanding the risk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill directs the agent to spawn an external coding session whenever a user asks for coding work, which is a very broad trigger for a high-impact action. Because this action launches an autonomous code-writing tool in a chosen working directory, ordinary requests could escalate into unsupervised execution without explicit confirmation or scoping.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly promotes automatic approval of permission prompts, removing an important safety gate for file access, command execution, or other sensitive actions. In this context, the tool is intended to perform coding tasks across projects, so auto-approving prompts can enable unintended or unsafe modifications without meaningful user review.

Missing User Warnings

High
Confidence
99% confidence
Finding
This code sends input into an interactive session without user confirmation whenever output matches 'Do you trust'. Because the trigger is broad and the action is immediate, a crafted or unexpected prompt in the tmux pane can cause security-sensitive approval to be granted automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script captures terminal output and writes the extracted prompt text to files under /tmp, which is a shared and potentially inspectable location on multi-user systems. Session content may contain sensitive data, project paths, commands, or secrets, creating an unintended local disclosure risk and residual data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly documents an approval automation flow and includes `always`/`all` as valid responses, but it does not warn that this grants blanket approval for all subsequent actions in that session. In a tool designed to orchestrate remote Claude Code sessions, that omission can cause operators to unknowingly disable an important safety checkpoint, increasing the chance of unauthorized file changes, command execution, or other risky actions being approved automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script sends approval details extracted from tmux session output over WhatsApp, which can expose command contents, file paths, prompts, or other sensitive workflow context to a third-party messaging channel. There is no visible consent, redaction, or classification check in this script before transmitting that data, so sensitive information may be disclosed unintentionally.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document not only describes but celebrates successful automation of approval prompts without human intervention, while omitting warnings about the security implications. In a remote orchestration skill, that encourages deployment of unsafe behavior that could authorize file creation, command execution, or broader directory access automatically.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file explicitly instructs auto-approving all Bash commands without user confirmation, which removes a key safety control around arbitrary command execution. In an agent skill context, this is especially dangerous because downstream prompts, tools, or manipulated inputs could cause destructive or data-exfiltrating shell commands to run without human review.

Ssd 4

High
Confidence
97% confidence
Finding
These staged test plans lay out multiple methods for bypassing or suppressing approval controls, including fallback automation if direct configuration fails. That kind of procedural guidance materially lowers the barrier to implementing a security-control bypass in the skill or by downstream users.

Ssd 2

High
Confidence
98% confidence
Finding
The natural-language description clearly explains a mechanism for detecting approval prompts and selecting the permissive option automatically, even without explicit exploit keywords. That is effectively an approval-bypass technique and is especially risky because it can be embedded into unattended orchestration flows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.