ClawHub

Autoresearch

Security checks across malware telemetry and agentic risk

Overview

This skill is aligned with autonomous ML experimentation, but it should be reviewed because it tells the agent to keep editing code and running GPU jobs indefinitely unless stopped.

Install or run this only in a disposable clone, branch, container, or dedicated worktree. Set explicit limits before starting: maximum runtime, maximum experiment count, GPU/cloud budget, disk usage, and whether git reset is allowed. Review dependency and remote kernel provenance, protect ~/.cache/autoresearch from untrusted writes, and do not leave the loop unattended unless you are prepared for ongoing compute use and repository changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README tells users to run the agent with permissions disabled, but the documented workflow explicitly relies on the agent editing code and running experiments. This mismatch can cause operators to relax controls ad hoc or misunderstand what the agent actually needs, increasing the chance of unsafe enablement and uncontrolled execution during autonomous code modification.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to continue operating indefinitely without further user confirmation, removing normal human oversight over ongoing code changes, git actions, and compute usage. In an autonomous coding environment this can lead to prolonged unauthorized modification, runaway experimentation, and continued resource consumption long after the user intended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes autonomous code changes and repeated execution loops without clear guidance on reviewing diffs, constraining filesystem scope, or monitoring command execution. In this context, the omission is risky because the entire purpose of the skill is to let an agent iteratively alter training code and run it, which can lead to unintended system, cost, or data impact.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description uses broad triggers like 'AI experiments', 'automated training', and 'optimization', which can match many ordinary user requests and cause the skill to activate in contexts the user did not intend. Because this skill performs autonomous code modification and long-running execution, over-broad routing increases the chance of unexpected high-impact actions being taken.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions prescribe repeated code modification, commits, training execution, log parsing, and git resets, but do not require an explicit user warning or confirmation about GPU consumption, runtime cost, disk/log growth, or destructive repository changes. In practice, this can lead to substantial resource usage and accidental loss of work without the user understanding the operational impact.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code loads `tokenizer.pkl` with `pickle.load`, which can execute arbitrary code if the file is replaced with a malicious pickle. Because the file is read from a user-writable cache directory under `~/.cache/autoresearch/`, any local attacker, compromised process, or poisoned artifact placed there could trigger code execution when `Tokenizer.from_directory()` is called.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill authorizes direct modification of `train.py` and logging to local files as part of an automated loop, but does not require an explicit warning or confirmation before making those writes. This increases the chance of surprising or destructive repository changes, especially when the agent is operating autonomously over many iterations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
These steps direct the agent to execute shell commands and git operations autonomously, including commits, training runs, log inspection, and resets, without a clear safety gate. In practice this grants the skill the ability to alter repository state and consume local compute resources repeatedly, which is risky when embedded in an agent workflow.

Missing User Warnings

Low
Confidence
93% confidence
Finding
This script immediately initializes CUDA, compiles a large model, creates a training dataloader, and enters an unbounded training loop constrained only by TIME_BUDGET, which can consume substantial GPU memory, compute time, and power. In an autonomous research skill, that behavior is especially risky because an agent may launch it without clearly informing the user of expected resource cost, causing unexpected spend, denial of service on shared GPUs, or workstation instability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal