Back to skill

Security audit

Claude Code Task

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support a real coding-agent workflow, but it gives spawned agents broad access to secrets and bypassed permission safeguards without clear enough user control.

Install only if you are comfortable with a spawned coding agent seeing your worktree and any linked env secrets. Prefer not to symlink real `.env` files; use task-scoped credentials, review every command before launch, and avoid permission-skipping modes unless you explicitly accept the risk for that run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill persists a user's tool preference in memory and writes it to MEMORY.md even though that persistence is not necessary to complete a single coding task. This creates unnecessary data retention and an additional disclosure surface, especially if MEMORY.md is committed, shared, or read by other tools without the user's awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Mandating symlinks to .env and .env.local exposes secrets and runtime credentials to every spawned coding agent session in the worktree. Because the skill is specifically designed to launch external coding agents, this broadens secret access beyond what is required and can lead to credential leakage, misuse, or exfiltration.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill claims each task is isolated, but the required .env symlinks intentionally reintroduce shared sensitive state into the supposedly isolated worktree. This mismatch can mislead users into trusting the setup more than they should and may cause them to expose secrets under a false assumption of isolation.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill says the agent must wait for user approval before touching files, yet it launches Claude with '--dangerously-skip-permissions', which disables an important safeguard. That contradiction undermines the claimed approval flow and increases the chance of unauthorized file changes or other privileged actions occurring before meaningful review.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation criteria are broad enough to trigger on many ordinary coding requests, increasing the chance that this high-privilege workflow is invoked when a simpler, safer approach would suffice. In context, that matters because the skill also provisions persistent tmux sessions, worktrees, and potentially secret-bearing environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill stores the user's tool preference in memory and MEMORY.md without a clear user-facing disclosure that this preference will be retained. Even if the data seems low sensitivity, undisclosed persistence violates user expectations and can create unwanted profile data or accidental disclosure through project files.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs exposing .env files to spawned agent sessions without any prominent warning that secrets may become accessible to those tools. Given the workflow's purpose of delegating coding tasks to external agents, failing to warn users materially increases the risk of secret disclosure and misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
Launching Claude with '--dangerously-skip-permissions' bypasses an important safety control, yet the skill provides no clear warning to the user that permission safeguards are being disabled. In a tool that can modify code and access the worktree context, undisclosed bypass of permissions substantially raises operational risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The troubleshooting guidance recommends deleting an existing git worktree to resolve a branch conflict, but it does not warn that removing the wrong worktree can discard uncommitted changes or disrupt another active task. In a skill designed for automated coding workflows, operators may copy commands verbatim, increasing the chance of unintended destructive actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file suggests symlinking a `.env` file into the worktree and running Claude with `--dangerously-skip-permissions`, but provides no warning about exposing secrets or bypassing safety controls. In this skill’s context, which orchestrates coding agents inside persistent sessions, that combination can broaden access to sensitive credentials and reduce guardrails around file and command access.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.