ClawHub

openclaw-kirocli-coding-agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for autonomous coding, but it normalizes no-approval tool execution and remote code changes without enough scoping or warnings.

Install only if you intentionally want autonomous coding agents with broad local tool access. Use an isolated workspace, avoid no-approval modes by default, review changes before commits or pushes, and do not run it near secrets or production repositories unless you have strong containment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill instructs spawned coding agents to execute `openclaw gateway wake` themselves as an out-of-band callback. That expands the skill from merely launching agents into delegating control over host-side notification behavior to another LLM-driven process, creating an unintended command-execution path and possible spoofed or misleading completion signals.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs operators to run coding agents with `--trust-all-tools` and does not pair that guidance with a warning that the agent may execute file edits, shell commands, or other system-affecting actions. In the context of a skill that bridges chat platforms to background coding agents, this materially increases the chance of unsafe autonomous actions being triggered from user prompts or prompt-injected content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs operators to run Kiro with `--trust-all-tools` and to manage interactive coding-agent sessions through shell-backed background PTYs. In this skill's context, that means an LLM-driven coding agent can invoke tools and modify the local system or repository without confirmation, which materially increases the risk of unintended or prompt-influenced destructive actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes `--full-auto` and especially `--yolo` as normal building modes while only lightly labeling `--yolo` as dangerous. Because these flags allow autonomous code and filesystem changes with reduced or no approvals, users may trigger destructive edits or repository modifications without understanding the blast radius.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance recommends `--trust-all-tools` for automation without prominently warning that it grants the agent unrestricted access to available tools and their side effects. In a coding-agent context, that can enable unreviewed file writes, shell execution, network-connected tooling, or configuration changes driven by model output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The planning-mode example starts Kiro with `--trust-all-tools` and then has the operator approve handoff, but it does not warn that the session can transition from read-only planning into active execution. This creates a misleading safety boundary where users may believe they are still in a harmless planning workflow while tool-enabled actions become possible after approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples encourage agents to fix issues, commit, and push branches autonomously, culminating in remote repository changes, without a strong warning about irreversible side effects. In practice this can lead to unauthorized commits, accidental data exposure, or propagation of incorrect changes to shared remotes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal