v0.0.9

Kilo CLI Coding Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This appears to be a real Kilo CLI automation skill, but it asks for broad GitHub write authority and gives agents workflows for autonomous background coding, pushing, PR creation, and GitHub comments.

GuidanceInstall only if you intentionally want an autonomous coding agent that can run commands and interact with GitHub. Use a narrowly scoped GitHub token, run it in isolated worktrees or temporary clones, monitor background/tmux sessions, and require a manual review before any push, PR creation, or GitHub comment.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

bash workdir:~/project background:true command:"kilo run --auto \"Build a snake game with dark theme\"" ... gh pr comment <PR#> --body "<review content>"

The skill directs the agent to launch an autonomous coding CLI in background shell sessions and includes workflows for posting results to GitHub. These are high-impact tool uses and the artifact does not define an explicit approval gate before such actions.

User impactIf invoked too broadly or on the wrong repository, the agent could make or publish changes using your local tools and GitHub account.

RecommendationUse only in intended repositories, require explicit confirmation before push/comment/PR actions, and review Kilo output before publishing it.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Use **bash background mode** for non-interactive coding work ... # Deploy the army - one Kilo CLI per PR! ... tmux -S "$SOCKET" new-session -d -s fix-78

The skill intentionally launches long-running or parallel agent sessions. This is disclosed and purpose-aligned, but it creates ongoing activity that users need to monitor and stop.

User impactMultiple background agents may continue using local resources, editing worktrees, or acting on tasks until stopped.

RecommendationTrack sessions with the documented process/tmux commands and clean them up promptly after each task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

npm install -g @kilocode/cli

The skill depends on a globally installed external npm package, and the instruction does not pin a version. This is expected for a Kilo CLI wrapper but is still a supply-chain dependency to verify.

User impactThe installed CLI will run with access to your working directories and may be used together with GitHub credentials.

RecommendationVerify the npm package source and version before installing, and keep it updated through trusted channels.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

claw.json

"permissions": ["network", "exec"], ... "GITHUB_TOKEN", "description": "GitHub Personal Access Token with repo and actions:write permissions"

The skill requires a GitHub personal access token with broad repository and Actions write authority, alongside command execution and network permissions, without repo-specific scoping in the artifacts.

User impactA misused or over-scoped token could allow repository changes, workflow-related actions, or GitHub operations beyond the immediate task.

RecommendationUse a least-privileged token limited to the specific repositories and permissions needed; avoid broad personal tokens where a narrower GitHub credential is possible.