AS Autoresearch Loop

Security checks across malware telemetry and agentic risk

Overview

This optimization skill is not clearly malicious, but it ships conflicting active instructions that can drive long-running file-changing loops with too little user control.

Review before installing. Use it only on sandbox copies or isolated branches, set explicit max iterations/time/cost/write limits, confirm exact writable paths before starting, and avoid live workflows or production prompts. The publisher should remove or clearly quarantine the nested and historical SKILL files that still contain unbounded autonomy instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (165)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly directs the agent to 'LOOP FOREVER' and 'Never stop until interrupted,' enabling long-running autonomous behavior without periodic user confirmation. In a file-editing optimization context, that can lead to excessive iterations, repeated writes, runaway token/tool usage, and continued modification after the user would reasonably expect a checkpoint.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill includes concrete shell commands for copying, restoring, and diffing files, which moves it from methodology guidance into operational file manipulation. In an autonomous loop, these instructions can cause unintended overwrites, stale-state restoration, or broad filesystem interaction beyond what the user explicitly approved.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill authorizes unattended CI/CD-style operation for an artifact-modifying loop, meaning the agent may continue evaluating and mutating artifacts without live human oversight. Even with stated guardrails, this materially increases the chance of runaway experimentation, excessive resource consumption, and unsafe or low-quality candidate outputs being produced at scale.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill explicitly instructs the agent to run shell commands such as cp, diff, and git operations to back up, restore, and manage versions. Those are real side-effecting capabilities that can alter local state, and the skill does not require explicit per-action user confirmation or constrain paths, making unintended file modification or rollback plausible.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to 'LOOP FOREVER' and 'NEVER STOP' until manually interrupted, enabling sustained autonomous modification and evaluation without renewed user approval. In an agent environment with file access or external tool use, this creates a real risk of runaway actions, excessive spend, large unintended changes, and reduced human oversight over destructive iterations.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes operational commands for copying, restoring, diffing, and optionally using git to manipulate files, which goes beyond purely methodological guidance into direct system-state modification. In practice, this can overwrite artifacts, revert unrelated work, or normalize shell execution as part of the skill without ensuring sandboxing, path constraints, or user approval for each action.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs an autonomous loop that continues making changes across broad artifact types, including workflows and business processes, until manually interrupted. In an agent setting, this can drive repeated high-impact modifications without bounded approval gates, increasing the chance of unintended changes, operational disruption, or unsafe optimization behavior beyond the user's immediate intent.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill goes beyond high-level methodology and gives concrete shell commands for copying, restoring, diffing, and git-based file operations. In an autonomous loop context, this materially increases the chance the agent will perform state-changing filesystem actions without explicit per-action user approval, which can overwrite files, revert desired changes, or interact with repositories more broadly than intended.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs copying, restoring, diffing, and otherwise mutating files as part of the loop, which goes beyond purely conceptual guidance and into operational filesystem actions. In a skill that may be triggered broadly and run autonomously, these instructions can cause unintended file changes, overwrite the wrong artifact, or persist state changes without a strong confirmation boundary.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest presents the skill as an improvement workflow, but its actual behavior directs autonomous operation that continues indefinitely until interrupted. That mismatch is dangerous because users may invoke it expecting bounded assistance, while the skill is designed to keep taking actions and consuming resources without periodic consent checkpoints.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to autonomously apply changes, evaluate, keep/discard, and repeat, which materially increases the chance of unintended file modification without a fresh user checkpoint at execution time. In a skill that can operate on prompts, workflows, and files, this creates a real risk of unauthorized or surprising state changes, especially when paired with broad trigger language and indefinite looping.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill recommends concrete shell and git commands for copying, restoring, diffing, and manipulating tracked files even though it is framed as a methodology skill. Encouraging filesystem and version-control operations broadens the operational blast radius and can lead an agent to alter or overwrite local artifacts beyond what the user clearly authorized.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to continue modifying, testing, and logging changes indefinitely until manually interrupted, without re-confirming user intent or enforcing a bounded iteration cap. In an agent setting, this can lead to uncontrolled autonomous actions, repeated file writes, and excessive compute/token consumption beyond what a user likely expects from a single request.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill provides concrete shell and git commands for copying, restoring, diffing, stashing, and checking out files as part of its normal flow. In an agentic environment, operational instructions like these materially increase the chance of unreviewed filesystem changes, accidental overwrites, or destructive state transitions if the agent can execute tools.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to 'LOOP FOREVER' and 'NEVER STOP' until manually interrupted, which authorizes prolonged autonomous operation without periodic user confirmation. In a skill that edits artifacts, runs evaluations, and logs iterations, this can lead to excessive actions, runaway costs, or unintended continued modification after the user's original intent has been satisfied.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill includes shell command and git/file-operation guidance such as cp, diff, git stash, and checkout as part of the standard workflow. Even if presented as examples, this broadens the skill from conceptual optimization guidance into operational file manipulation, increasing the chance of unintended filesystem changes or misuse in environments where command execution is available.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill explicitly directs the agent to run shell commands and git/file operations such as cp, diff, git stash, and checkout. In an autonomous loop that edits artifacts repeatedly, these instructions expand capabilities from advisory guidance into operational system modification, which can affect local files or repositories if executed without strict sandboxing and user confirmation.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly tells the agent to continue running without pausing for user confirmation and to keep going until manually interrupted. In an agent environment, this removes normal human gating and can lead to excessive actions, unintended edits, cost overruns, or prolonged operation beyond what the user expected from a methodology-oriented skill.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to perform shell-based copy/revert operations and to use git for version control during the loop. In an autonomous skill, file-mutating commands increase the risk of unintended overwrites, workspace corruption, or acting on the wrong path, especially because the workflow encourages repeated edits over long runs.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to 'LOOP FOREVER' and later says to 'NEVER STOP' mid-session unless manually interrupted. That creates open-ended autonomous behavior with no built-in iteration cap, budget cap, or periodic re-authorization, which can drive excessive tool use, file churn, and unintended modifications beyond what a user reasonably expects from a single request.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill explicitly directs the agent to continue iterating indefinitely until manually interrupted, which can cause runaway execution, excessive token/tool consumption, and repeated file mutations without a bounded stop condition. Even though later sections mention stopping criteria, the top-level behavior encourages open-ended autonomy and creates an operational safety risk.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document contains conflicting control instructions: 'never stop until interrupted' versus later legitimate stopping criteria. This contradiction can cause unsafe agent behavior because a model may follow the more aggressive instruction and ignore sensible termination conditions, especially in automated environments.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill goes beyond describing a methodology and explicitly instructs shell-based file operations such as copying and restoring artifacts. In an autonomous loop context, this creates a real capability for filesystem modification without clear consent, sandboxing, or path restrictions, which can overwrite user files or propagate mistakes across iterations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly directs autonomous modification, evaluation, logging, and repetition in a 'LOOP FOREVER' pattern across arbitrary artifacts, including prompts, workflows, and process documents. In an agent setting, this creates an unsafe unattended change engine that can continue making consequential edits until externally interrupted, increasing the chance of drift, damaging changes, or misuse on sensitive artifacts.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to run an effectively unbounded autonomous modification-and-evaluation loop until manually interrupted. In an agentic environment with tool access, this can cause uncontrolled file edits, repeated workflow executions, runaway cost, and prolonged unsafe actions without fresh human approval at each step.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal