Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.
This project examines local AI agent hosts, globally installed CLIs, shared skills, bridges, credentials, and external side effects. It focuses on accidental scope expansion and supply-chain-like configuration behavior. It does not assume a malicious vendor or prove remote exfiltration.
A global Skill delegates a broad class of requests to an external platform without an explicit user choice. The user believes the host model is implementing the task directly, while another service creates the actual artifact.
A symlink, junction, central Skill pool, or installer sync causes one rule to affect Codex, Trae, or other hosts simultaneously. Editing a visible copy may not remove the physical source or prevent reinstallation.
Long-lived credentials stored in user-level environment variables are inherited by every child process. A bridge may persist that environment to disk and inject it into future child agents.
Unrestricted filesystem access and no-approval execution do not cause a routing error, but they increase its blast radius and remove the final human checkpoint.
Parallel agents create the same remote resource because there is no idempotency key, ownership lease, or reconciliation step after a timeout.
Package lifecycle hooks or background synchronization restore a removed Skill. A one-time manual deletion appears successful but is not durable.
| Level | Meaning |
|---|---|
| Observed | A file, process, permission, or rule exists locally |
| Inferred | The observed configuration can produce a stated effect |
| Confirmed | Logs or API evidence show the effect occurred |
The auditor reports observed state and bounded inferences. It must not label a remote leak as confirmed without remote evidence.