Kilo CLI Coding Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Kilo CLI wrapper, but it gives an autonomous background coding agent broad shell and GitHub write authority that can change repositories and post to GitHub.
Install only if you are comfortable letting Kilo CLI run shell commands and potentially change GitHub repositories on your behalf. Use a temporary clone or worktree, a least-privileged GitHub token, and require manual review before any commit, push, PR creation, or public comment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could push unwanted code, run dependency scripts, or make repository changes under the user's account.
The workflow gives a background coding agent shell access in a repository and explicitly directs it to commit and push changes, which can mutate user code and remote repositories without a clearly stated confirmation gate.
tmux -S "$SOCKET" send-keys -t fix-78 "cd /tmp/issue-78 && npm install && kilo run 'Fix issue #78: <description>. Commit and push.'" Enter
Require explicit user approval before commits, pushes, PR creation, or PR comments; run only in isolated worktrees or temporary clones; and review diffs before allowing remote changes.
A broad token can let the agent push code, create or modify PRs, comment publicly, and potentially affect GitHub Actions in repositories the token can access.
The skill requires a broad GitHub token with repository and workflow-write authority, while the instructions are not clearly limited to a specific repo, branch, or approval workflow.
"name": "GITHUB_TOKEN", "description": "GitHub Personal Access Token with repo and actions:write permissions", "required": true
Use the least-privileged GitHub token possible, limit it to the intended repository, avoid actions:write unless necessary, and revoke or rotate the token after use.
Installing the external CLI can execute package installation code and later gives that CLI access to project files and commands.
The skill depends on a globally installed external CLI package that is not included or pinned in the reviewed artifacts. This is expected for a Kilo CLI wrapper, but it shifts trust to the npm package.
npm install -g @kilocode/cli
Verify the Kilo CLI package source, install a known-good version when possible, and keep it updated from trusted channels.
Multiple background agents could consume resources or make overlapping changes if the user does not monitor and stop them.
The skill documents spawning multiple background Kilo CLI sessions for parallel work. This is disclosed and purpose-aligned, but long-running parallel agents can continue acting until monitored or killed.
# Deploy the army - one Kilo CLI per PR!
Track all session IDs, use isolated worktrees, limit the number of parallel agents, and kill or clean up sessions immediately after the task is complete.