Agent Autonomy Kit.Backup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill openly aims to make the agent work unattended on queued tasks, including scheduled cron runs and team spawning, but it does not clearly limit what autonomous work is allowed.
Install only if you intentionally want unattended autonomous work. Before enabling cron or heartbeat changes, define exactly which tasks the agent may do, require approval for sensitive or external actions, protect the task queue from untrusted edits, use private communication channels, and verify the GitHub source before cloning anything.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may keep spending tokens and acting on queued tasks while the user is absent.
The README instructs users to create scheduled OpenClaw jobs that trigger work without interactive user prompting, which is persistent autonomous agent behavior.
These run automatically — no human prompt needed.
Use only with explicit scopes, schedules, budgets, and a clear stop/disable procedure; require human approval for external writes, deployments, account changes, destructive actions, or sensitive data use.
One bad task or instruction could be amplified into parallel actions, duplicated work, unwanted posts, or broader unintended changes.
The recommended scheduled workflow can spawn multiple agents from the same task queue, so a mistaken or unsafe queue item can propagate across agents.
--system-event "Morning kickoff: Review task queue, pick top priorities, spawn team members for parallel work."
Limit or disable automatic team spawning, assign clear task ownership, rate-limit autonomous runs, and review queue items before allowing multi-agent execution.
A poisoned or mistaken task entry could steer future autonomous runs, and sensitive work details could be retained in memory files.
The task queue and memory files become persistent context that drives future autonomous behavior, but the artifacts do not define validation, trusted editors, retention, or sensitive-content handling.
Read `tasks/QUEUE.md`... Pick highest-priority Ready task you can do... Log what you did to `memory/YYYY-MM-DD.md`
Restrict who can edit queue and memory files, review tasks before autonomous execution, avoid storing secrets, and separate untrusted notes from executable task instructions.
Task details, progress notes, or blockers may be visible to channel members if configured.
Team-channel communication is disclosed and purpose-aligned, but it means autonomous progress details may be sent to configured external or shared channels.
Agents communicate through Discord (or configured channel): - Progress updates - Handoffs
Use private approved channels, avoid posting secrets or sensitive customer data, and confirm which agents and humans can read the channel.
A user may install content from a different source than expected or from a moving branch that was not part of this review.
The README recommends cloning an unpinned repository, while the registry/SKILL homepage points to a different GitHub org, creating a provenance gap for users who follow the install instructions.
git clone https://github.com/reflectt/agent-autonomy-kit.git skills/agent-autonomy-kit
Verify the intended repository, align the registry homepage and README source, and pin any clone instructions to a reviewed commit or release.