Back to skill

Security audit

Agent Autonomy Kit Zh

Security checks across malware telemetry and agentic risk

Overview

This text-only skill is not malware, but it encourages unattended scheduled agent work without clear limits on what the agent may change or do.

Install only if you intentionally want scheduled autonomous work. Before enabling cron or heartbeat automation, restrict the queue to approved low-risk tasks, require human approval for code changes, deployments, purchases, deletions, public posts, credential use, and agent spawning, keep logs private, and make sure you know how to pause or remove the scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs the agent to read a task queue, perform work, and then update queue and memory files during heartbeat runs. In a skill whose purpose is autonomous operation, this creates a real risk of unattended repository modifications, task drift, and persistence of unintended actions without any warning, approval gate, or scope limitation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cron examples schedule unattended work sessions and wake the agent to perform tasks without a human prompt, including reviewing queues, selecting priorities, spawning team members, and doing overnight work. This materially increases risk because autonomous execution can amplify mistakes, operate outside business context, and continue modifying state or producing outputs when no human is supervising.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages unattended, continuous operation through queue processing, heartbeat-driven work, and cron-triggered overnight execution, but provides no guardrails around user consent, action scope, resource limits, or destructive operations. In an agent context, this can lead to unauthorized changes, excessive system activity, or prolonged autonomous behavior beyond what the user intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.