Back to skill

Security audit

Looper

Security checks across malware telemetry and agentic risk

Overview

Looper matches its stated automation purpose, but it can create persistent workflows that directly change GitHub repositories, publish social posts, manage API keys, and run with broad delegated authority.

Review before installing. Use this only if you trust Looper with the target repositories, social accounts, prompts, and credentials. Prefer propose or notify mode, set explicit run limits, avoid putting third-party API keys in prompt fields when possible, confirm every create/update/delete/run action, and rotate any Looper or posting keys if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents shell-based network operations but does not declare corresponding permissions, creating a capability/permission mismatch. This is dangerous because an agent may be allowed to execute external API calls, create accounts, manage automation, and affect third-party systems without transparent user consent or proper policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose focuses on content/code/social automation, but the documented behavior also includes account lifecycle actions, tenant/account information retrieval, GitHub connection checks, loop administration, and operational control. This mismatch is dangerous because users and policy engines may underestimate the breadth of authority granted to the skill, leading to unauthorized management actions and exposure of connected services.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to sign up for accounts and create/manage API credentials, which expands the skill from automation into identity and secret management. This is dangerous because autonomous account creation and credential provisioning can create untracked external assets, increase secret sprawl, and enable persistent third-party access beyond the user's expectations.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The skill exposes billing/subscription upgrade capability even though billing management is not central to the advertised automation function. This is dangerous because an agent with this guidance could initiate paid plan changes or subscription workflows, creating financial impact without sufficiently clear user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automated modes that can directly commit to repositories and publish generated content on a schedule, but it does not prominently warn about these side effects. This is dangerous because users may enable autonomous operation without understanding that the skill can make persistent external changes repeatedly, including publishing low-quality or harmful content and altering source repositories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes a delete operation for loops without labeling it as destructive or irreversible. This is dangerous because an agent or user may invoke deletion casually, causing loss of scheduled workflows, configuration, and operational continuity with limited chance of recovery.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. Sign Up

```bash
curl -X POST https://api.looper.bot/api/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'
```
Confidence
90% confidence
Finding
curl -X POST https://api.looper.bot/api/signup \ -H "Content-Type: application/json" \ -d '{"email": "you@example.com", "password": "your-password"}' ``` Response includes `admin_key` (starts wit

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Get OAuth URL
curl -s https://api.looper.bot/api/github/connect \
  -H "Authorization: Bearer <key>"

# Visit the returned URL to authorize, then check status:
Confidence
85% confidence
Finding
curl -s https://api.looper.bot/api/github/connect \ -H "Authorization: Bearer <key>" # Visit the returned URL to authorize, then check status: curl -s https://api.looper.bot/api/github/status \ -

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. Sign Up

```bash
curl -X POST https://api.looper.bot/api/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'
```
Confidence
90% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Login (if you need tenant info later)

```bash
curl -X POST https://api.looper.bot/api/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'
```
Confidence
86% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
Generates and commits blog posts to your GitHub repo on a schedule.

```bash
curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
Reviews your codebase and suggests or applies improvements.

```bash
curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
Social Kit template ID: `7431b897-396f-4542-8e32-d8d1c5e445a2`

```bash
curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
### Toggle loop on/off
```bash
curl -X PATCH https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"enabled": false}'
Confidence
82% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
### Trigger a run manually
```bash
curl -X POST https://api.looper.bot/api/loops/<loop-id>/run \
  -H "Authorization: Bearer <key>"
```
Confidence
84% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
### Update loop settings
```bash
curl -X PATCH https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"schedule": "0 8 * * *", "model": "gpt-4o"}'
Confidence
81% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
### Delete a loop
```bash
curl -X DELETE https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>"
```
Confidence
87% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Get OAuth URL
curl -s https://api.looper.bot/api/github/connect \
  -H "Authorization: Bearer <key>"

# Visit the returned URL to authorize, then check status:
Confidence
85% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# List keys (metadata only, not the key itself)
curl -s https://api.looper.bot/api/keys \
  -H "Authorization: Bearer <key>"

# Generate a new key
Confidence
83% confidence
Finding
https://api.looper.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer <key>"

# Generate a new key
curl -X POST https://api.looper.bot/api/keys \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI Key"}'
Confidence
90% confidence
Finding
https://api.looper.bot/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.