Kilo CLI Coding Agent
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for running Kilo CLI, but it asks for broad GitHub write access and encourages autonomous background agents that can change code, push branches, and post to GitHub.
Install only if you trust Kilo CLI and are comfortable supervising autonomous coding agents. Use a temporary worktree or container, provide the narrowest possible GitHub token, and require manual review before pushes, PR creation, PR comments, or workflow-affecting actions.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe private files outside the project are protected when the skill only documents changing the process working directory.
The text frames the working directory as a containment boundary, but the artifacts do not show an enforced sandbox or filesystem restriction; a normal CLI process can still access other paths if permitted.
# Start agent in target directory ("little box" - only sees relevant files)
**Why workdir matters:** Agent wakes up in a focused directory, doesn't wander off reading unrelated filesTreat workdir as a convenience, not a sandbox; run in a container, temporary clone, or restricted account when handling sensitive files.
The agent could push code or project changes to GitHub under the user's credentials before the user has reviewed the result.
The workflow tells the agent to run Kilo in a way that can install dependencies, modify code, commit, and push changes, with no explicit approval checkpoint before the remote mutation.
tmux -S "$SOCKET" send-keys -t fix-78 "cd /tmp/issue-78 && npm install && kilo run 'Fix issue #78: <description>. Commit and push.'" Enter
Require explicit user confirmation before any git push, PR creation, PR comment, dependency install, or other remote/account-changing action.
If misused, the token could allow repository changes, workflow-related actions, or public GitHub activity beyond the immediate coding task.
The skill requires a powerful GitHub token with repository and Actions write authority, but the artifacts do not clearly limit it to one repository, branch, or operation.
"description": "GitHub Personal Access Token with repo and actions:write permissions", "required": true
Use a fine-grained, least-privilege GitHub token scoped to the specific repository and task, avoid actions:write unless truly needed, and rotate/revoke it after use.
Multiple Kilo sessions may keep running, consume resources, or continue working on repositories after the user has moved on.
Background and parallel agent sessions are disclosed and central to the skill, but they create long-running activity that needs monitoring and cleanup.
Use **bash background mode** for non-interactive coding work. Can run 5+ parallel fixes!
Monitor sessions with the documented process/tmux commands and kill or clean up all background sessions when the task is complete.
The behavior of the external Kilo CLI package is outside this skill's static scan and must be trusted separately.
The skill depends on a globally installed external CLI package that is not pinned or included in the reviewed artifacts.
npm install -g @kilocode/cli
Install Kilo CLI only from a trusted source, consider pinning a known-good version, and review its permissions and configuration before use.