ccboard
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is designed to read and display the contents of
~/.claude/claude_desktop_config.json, a file that typically contains sensitive API keys and environment variables used for MCP server authentication. - [DATA_EXFILTRATION]: The skill includes a web interface (
/ccboard-web) described as supporting 'remote monitoring' and 'concurrent multi-user access'. This interface serves sensitive data, including credentials and chat history, over the network. The absence of documented authentication mechanisms poses a high risk of unauthorized data exposure if the service is exposed to the network. - [EXTERNAL_DOWNLOADS]: The installation process uses
cargo install ccboardto fetch and compile code from the public crates.io registry. This introduces a dependency on an unverified third-party binary at runtime. - [COMMAND_EXECUTION]: The skill invokes the
ccboardbinary to perform monitoring tasks and manage MCP server status. - [REMOTE_CODE_EXECUTION]: The installation script provides instructions to download and execute the official Rust toolchain installer from
https://sh.rustup.rsusing a shell pipe, which is a sensitive operation for environment setup.
Recommendations
- HIGH: Downloads and executes remote code from: https://sh.rustup.rs - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata