Security audit

Agent自动研究循环

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate autonomous experiment runner, but it needs Review because it can edit code, run commands indefinitely, and use destructive git resets without enough guardrails.

Install only in repositories where you are comfortable with autonomous code changes and command execution. Use it on a disposable branch or worktree, start from a clean git status, set explicit experiment/time limits yourself, and avoid running it where uncommitted work or important local changes could be lost.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill requests broad capabilities including arbitrary shell execution and session spawning, which materially expand what the agent can do beyond narrowly running a bounded experiment loop. In this context, those permissions could be used to execute harmful commands, persist long-running activity, or escape the intended scope if the configuration or prompts are manipulated.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instruction to 'run indefinitely until the user stops you' removes normal reauthorization checkpoints and encourages unbounded autonomous action. Combined with file modification, git operations, and shell access, this can lead to excessive resource consumption, large volumes of unintended changes, and prolonged unsafe behavior after a mistaken invocation.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to match common requests like 'optimize' or 'run experiments', which increases the chance the skill is invoked in contexts where the user did not intend autonomous code modification and execution. Because this skill can edit files and run shell commands, accidental invocation raises the risk substantially.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill directs repeated code changes, commits, command execution, and destructive reverts without prominently warning the user about those side effects. Users may not realize the agent will rewrite tracked files and discard committed work via hard resets, which can cause data loss or repository disruption if setup constraints are wrong.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # If the run crashed or timed out: # - Read the error from run.log # - Record as crash in results.tsv # - Revert: git reset --hard HEAD~1 # - Diagnose and try a different approach ```
Confidence: 97% confidence
Finding: git reset --hard

Tool Parameter Abuse

High

Category: Tool Misuse
Content: → Log: "KEEP: <description> (<metric>: <old> → <new>)" ELIF metric equal or worse: → DISCARD: git reset --hard HEAD~1 → Log: "DISCARD: <description> (<metric>: <value> vs best <best>)" ELIF crashed or timed out:
Confidence: 97% confidence
Finding: git reset --hard

Tool Parameter Abuse

High

Category: Tool Misuse
Content: → Log: "DISCARD: <description> (<metric>: <value> vs best <best>)" ELIF crashed or timed out: → CRASH: git reset --hard HEAD~1 → Log: "CRASH: <description> (error: <brief error>)" ```
Confidence: 97% confidence
Finding: git reset --hard

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.