Agent Autonomy Kit Zh
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill openly aims to make an agent run scheduled, unattended work, but it does not clearly limit what the agent may do or when it must ask for approval.
Install only if you intentionally want an agent to perform unattended scheduled work. Before enabling cron, define exactly what tasks are allowed, require approval for high-impact actions, restrict queue and memory editing, use private team channels, verify the repository origin, and keep an easy way to pause or remove the scheduled jobs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After setup, the agent may keep working in the background, consume tokens, edit queue/memory files, post updates, or launch helper agents without a fresh prompt.
The skill instructs users to schedule unattended agent activity and even spawn team members, with no clear stop condition or approval model beyond the user initially setting up cron.
openclaw cron add ... --system-event "Morning kickoff: Review task queue, pick top priorities, spawn team members for parallel work." ... These run automatically — no human prompt needed.
Enable cron only intentionally, define active hours and a kill switch, and require explicit approval for spawning agents, posting externally, or performing high-impact tasks.
A broad or poorly written queue item could cause the agent to use whatever tools it already has available beyond the user's intended low-risk work.
The action loop is broad and does not specify which tools, file paths, account actions, or external communications are allowed during autonomous work.
Read `tasks/QUEUE.md` ... Pick highest-priority Ready task you can do ... Do meaningful work on it ... If time/tokens remain, pick another task
Define allowed task classes, restricted paths, and mandatory human approval for code changes, deployments, account mutations, purchases, deletions, or public/external posts.
Mistaken, stale, or malicious task entries could steer future unattended sessions and compound over time through self-added tasks and memory notes.
Persistent task queue entries are used to direct future autonomous work, and the artifacts do not describe provenance checks, trusted writers, or review before tasks become actionable.
Any agent can pick up a "Ready" task ... Add new tasks as you discover them
Restrict who can edit the queue, review new tasks before autonomous runs, record task provenance, and separate untrusted ideas from approved actionable work.
Sensitive project information may be posted to team channels, or channel messages may influence agent coordination.
Team-channel communication is optional and purpose-aligned, but it can expose project details or accept coordination signals from channels if permissions are not carefully configured.
Agents communicate through Discord (or configured channel): Progress updates; Handoffs; Blockers; Discoveries
Use private, access-controlled channels, avoid posting secrets, and verify bot permissions and message origins before relying on team-channel instructions.
A user following the README may clone and trust a repository that does not match the skill's listed homepage/source.
The registry/source information and README installation target point to different GitHub origins, which is a provenance gap even though no code is bundled or automatically executed here.
Source: unknown; Homepage: https://github.com/itskai-dev/agent-autonomy-kit ... git clone https://github.com/reflectt/agent-autonomy-kit.git skills/agent-autonomy-kit
Verify the intended repository owner, inspect the remote content before use, and pin a trusted commit or update the metadata to match the documented source.