Back to skill

Security audit

Agent Autonomy Kit.Backup

Security checks across malware telemetry and agentic risk

Overview

This skill openly enables unattended autonomous agent work, but it gives broad cron, queue-editing, memory-writing, team-posting, and multi-agent instructions without enough user-control boundaries.

Review before installing. Use this only if you intentionally want unattended autonomous work. Define an approved task queue, cap runtime and budget, require human approval for external posts, deployments, account changes, destructive edits, or sensitive data use, and verify the intended GitHub source before cloning.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages agents to pull tasks and update persistent workspace files such as `tasks/QUEUE.md` and daily memory without any guardrails around user approval, scoping, or protected paths. In an autonomy-focused skill, this increases the chance of unintended modification of user files, task corruption, or persistent state changes that the user did not authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to post progress and handoffs to Discord/Slack without warning about disclosure of workspace-derived information to third-party services. Because the skill is designed for continuous autonomous operation, an agent may repeatedly exfiltrate sensitive project details, internal notes, or user data to external channels with little human oversight.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The overview says to transform an agent from 'reactive to proactive,' which encourages autonomous behavior without defining trigger boundaries, approval requirements, or safe operating limits. In the context of an agent skill, this can normalize self-directed action beyond user intent and increase the chance of unintended task execution or persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-start instructions recommend setting up cron jobs for overnight work and daily reports without any warning about unattended autonomous operation. This is dangerous because scheduled execution can cause repeated actions, data changes, or report generation while no user is supervising, amplifying mistakes or abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The phrase 'Work until limits hit' promotes sustained autonomous action but does not describe what those limits are or how they are enforced. In an agent skill focused on continuous operation, this omission makes the guidance more dangerous because it can lead to runaway loops, excessive resource use, unreviewed changes, or repeated interactions with external systems.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The line 'Idle time = wasted tokens. Keep working.' encourages indefinite autonomous operation without a clear stopping condition or approval boundary. In an autonomy-focused skill, this broad trigger can cause the agent to continue taking actions beyond user intent, increasing the chance of unnecessary file changes, noisy coordination, or other unauthorized work.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to update `tasks/QUEUE.md`, log to `memory/YYYY-MM-DD.md`, and potentially create new tasks, but it does not require notifying the user that project records will be modified. This can lead to silent state changes in repository or workspace files, which is especially risky in a proactive loop because the agent may repeatedly alter records without explicit user awareness or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.