Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.
This is a sanitized configuration-risk case study, not a claim that every Coze CLI version or installation behaves identically. The observations below were verified on one Windows installation of @coze/cli version 0.3.4 on 2026-07-13. Product behavior may change; always inspect the installed version.
@coze/cli was installed globally through npm.using-coze-cli Skill appeared in a shared user-level Agent Skill pool.The result was a routing and scope-control failure. It does not establish that credential values were transmitted to a remote service.
Check the globally installed package:
npm ls -g @coze/cli --depth=0
$npmRoot = npm root -g
$package = Get-Content "$npmRoot\@coze\cli\package.json" -Raw | ConvertFrom-Json
$package.version
$package.scripts.postinstall
List global Agent Skill locations without opening credentials:
Get-ChildItem "$HOME\.agents\skills" -Directory -ErrorAction SilentlyContinue
Get-ChildItem "$HOME\.trae\skills" -Directory -ErrorAction SilentlyContinue |
Select-Object Name, LinkType, Target
Check whether a bridge snapshot exists. Do not print its contents in a shared terminal or issue:
Get-Item "$HOME\.coze\bridge\agent-env.json" -ErrorAction SilentlyContinue |
Select-Object FullName, Length, LastWriteTime
The repository tool performs these checks more safely because it reports sensitive field names only:
agent-scope-guard --json --fail-on high
There can be three independent persistence layers:
A durable fix must reconcile all three and then rerun the audit after the next CLI upgrade.
Automatic Skill installation can be a convenience feature. The risk arises when convenience crosses an invisible trust boundary: broad implicit triggers, multiple hosts, ambient secrets, or external writes without explicit confirmation. The safer product design is explicit delegation plus narrow credential and permission scopes.