ClawHub

autonomous-loops

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent, but it promotes autonomous code commits, PR creation, CI repair, and merging without strong mandatory approval or privacy guardrails.

Install only if you deliberately want autonomous repository automation. Use protected branches, least-privileged GitHub credentials, dry-run or --disable-commits first, explicit max-run/cost/duration limits, and manual approval before merges. Keep secrets, customer data, and private credentials out of session files, shared task notes, specs, directory snapshots, and captured diffs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include very broad terms like "autonomous loop," "continuous development," and "parallel agents," which can match ordinary development requests and cause the skill to activate outside its intended scope. In a skill that promotes unattended automation patterns, ambiguous invocation increases the chance of accidental use for workflows involving repository changes, CI, or PR actions without the user explicitly asking for that level of autonomy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises "PR Automation Loop," "auto-merge," and operation "without human intervention between steps," but does not provide a prominent warning, approval gate, or safety boundary for impactful repository actions. In this context, unattended loops are more dangerous because they can repeatedly modify code, open PRs, react to CI, and potentially merge changes at scale, amplifying mistakes or unsafe behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown instructs users to launch multiple agents in parallel that write outputs to the filesystem, but it does not include safeguards around concurrent writes, path validation, or verifying that targets are isolated per agent. In an autonomous-loop skill, this omission is more dangerous because users are encouraged to operationalize the pattern directly, increasing the chance of overwrites, race conditions, or unintended modification of project files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example script sends full spec contents and directory listings into an external agent command without any warning about sensitive data exposure, minimization, or trust boundaries. In this skill context, that is materially risky because specs and file listings may contain proprietary code structure, secrets, internal paths, or unreleased product details, and the pattern is presented as a reusable automation workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document promotes a persistent REPL that stores full conversation history in a session file and reloads that history on every turn, but it does not prominently warn that prompts and model outputs may contain secrets, credentials, personal data, proprietary code, or security-sensitive context that will be retained on disk. In a security-oriented agent workflow, this increases the risk of unintended long-term data retention, overexposure of sensitive context across future turns, and disclosure through backups, shared accounts, or compromised developer machines.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly promotes a fully automated loop that creates branches, opens PRs, retries on CI failure, and merges changes, which are repository-changing actions with potentially broad impact. Although the file includes some safety language later ('Install from official repository after code review' and 'Review before merge'), it does not present a prominent upfront warning or default guardrails before introducing auto-merge behavior, making misuse or accidental destructive changes more likely in autonomous operation.

Context Leakage

High
Category
Data Exfiltration
Content
Unit branch
    │
    ├─ Rebase onto main
    │   └─ Conflict? → EVICT (capture context)
    │
    ├─ Run tests
    │   └─ Fail? → EVICT
Confidence
88% confidence
Finding
capture context

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal