Back to skill

Security audit

Ship Loop

Security checks across malware telemetry and agentic risk

Overview

Ship Loop is a disclosed automation tool, but it can autonomously modify, commit, push, deploy, clean repository state, run configured commands, and persist sensitive run context with limited safety gates.

Install only for trusted repositories and non-production or well-controlled deployment targets. Review SHIPLOOP.yml like executable code, start with dry-run, use a disposable branch or worktree, avoid permission-bypass agent modes unless isolated, disable or constrain meta/optimization loops if you need review, and do not use notify-command or custom scripts where sensitive environment variables are present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (35)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"SHIPLOOP_DURATION": f"{duration:.0f}",
        }
        try:
            subprocess.run(notify_command, shell=True, env=env, timeout=30)
        except Exception as e:
            logging.warning("Notification command failed: %s", e)
Confidence
99% confidence
Finding
subprocess.run(notify_command, shell=True, env=env, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly documents execution of shell commands, git operations, networked deploy verification, SQLite/file writes, and agent invocation, yet it declares no permissions boundary. In a skill framework, that mismatch is dangerous because users or orchestrators may assume a lower-trust execution model than the skill actually requires, leading to unintended command execution, repository modification, data exfiltration, or deployment actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The public description frames the skill as a build→ship→verify pipeline, but the body describes substantially broader behavior: persistent history, prompt injection of prior learnings, autonomous repair/meta loops, analytics, and experimental branching. That description-behavior gap is security-relevant because operators may invoke the skill expecting a narrow deployment helper while actually enabling broader autonomous code changes, data retention, and execution paths.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads agent_command from SHIPLOOP.yml and executes it unquoted as part of a shell command line, so whoever controls that configuration can run arbitrary commands in the repository context. In a build/ship automation skill this is especially dangerous because the script already performs git operations and runs with developer privileges, making config-driven code execution an easy path to full local compromise or destructive repo changes.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The CLI intentionally exposes an arbitrary shell command hook for notifications, which is much broader than a simple notification mechanism and effectively grants code execution. In a deployment pipeline context, that capability can be abused to run unrelated commands, exfiltrate secrets, modify artifacts, or pivot into the surrounding environment.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The notification hook inherits the full process environment via os.environ and then adds pipeline metadata before executing a shell command. In a CI/CD-style tool, inherited environment variables commonly include API keys, cloud credentials, tokens, and repository secrets, so any notification command gains broad access to sensitive data and can leak it externally.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
`discard_changes()` performs `git checkout -- .` and `git clean -fd`, which can permanently remove local tracked modifications and untracked files. In a build→ship automation skill, this is operationally risky because it is broader than a narrowly scoped pipeline action and there is no guardrail in this file to ensure the caller intends destructive cleanup.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The reflection loop is described and named as an analysis/reporting step, but it also mutates persistent state by creating new learning records based on heuristic thresholds. This creates an integrity and governance risk: a read-like observability operation can silently change future system behavior, amplify noisy failure patterns into durable policy, and make troubleshooting or approval workflows harder.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The verifier runs `config.script` via `asyncio.create_subprocess_shell`, which invokes a shell and executes arbitrary command text. If an attacker can influence the deploy configuration or script contents, this enables command execution in the agent environment, and the curated environment still exposes enough context plus inherited binaries to perform harmful actions. In this skill's context, a chained deploy/verify pipeline makes script execution particularly sensitive because it is expected to run automatically as part of release flow, reducing human review and increasing blast radius.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Trigger phrases like 'keep building', 'run the next segment', and 'build these features' are broad enough to match ordinary user conversation, which can unintentionally activate a powerful automation skill. Because this skill can run shell commands, invoke agents, commit, deploy, and persist state, accidental triggering materially increases the risk of unintended high-impact actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly says failure details are stored in `learnings.yml` and automatically injected into future agent prompts, but it does not warn that failures, root causes, fixes, and prompt-derived context may contain secrets, internal paths, proprietary code details, or sensitive operational data. Because this is a multi-run agent pipeline, persisted data can be repeatedly re-exposed to later agent executions, increasing the chance of unintended disclosure or prompt-context leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance to commit `learnings.yml` to the repository encourages durable distribution of a file that may contain sensitive troubleshooting history, internal implementation details, and possibly credentials or tokens accidentally present in error messages. In the context of a build→ship→verify loop, committing this file can propagate sensitive data to teammates, CI systems, forks, or public repositories, making exposure broader and more persistent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The introduction markets autonomous build, deploy, verification, and self-repair behavior as a core feature without warning that the system can make impactful changes to codebases, repositories, and deployment targets. In a skill for chaining agent-driven feature delivery, omission of safeguards can normalize high-risk automation and lead users to enable repository writes or production-affecting actions without adequate review gates.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow section describes code being committed, pushed, and deploy-verified on the happy path, but does not disclose risks, approval requirements, or operational constraints. Because this documentation is onboarding material, the lack of caution is more dangerous in context: it encourages trust in autonomous shipping behavior before users are exposed to guardrails or limitations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quickstart instructs users to run an automation pipeline that will commit, push, verify deployments, and later reset failed segments, but it does not clearly warn that these actions change local repository history/state and interact with remote systems. In a quickstart context, users are especially likely to copy-paste commands without understanding side effects, which can lead to unintended code publication, CI/CD execution, or destructive retries against production-connected workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly recommends running Claude Code with `--permission-mode bypassPermissions`, which disables confirmation prompts for file writes, but it does not clearly warn users about the security implications. In the context of an automation pipeline that feeds prompts to coding agents and lets them modify the working directory, this materially increases the chance of unsafe or unintended file changes being made without user review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The unconditional git checkout -- . and git clean -fd discard local modifications and remove untracked files without confirmation, which can destroy developer work or wipe artifacts unexpectedly. In this skill context, where chained automation repeatedly manipulates branches and invokes an agent, lack of safeguards increases the chance of accidental data loss during routine use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script reads build/lint/test commands from SHIPLOOP.yml and executes them with eval, which allows arbitrary shell metacharacters, command substitution, and chaining to run in the current shell context. If an attacker can modify the repository config or influence the selected SHIPLOOP file path, they can execute arbitrary commands during a trusted pre-commit workflow, potentially stealing secrets, altering source, or persisting malicious changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script collects the last 100 lines of an error log, the current git diff, and untracked filenames, then injects that content into a prompt sent to an externally configured agent command. Because the agent target is arbitrary and defined in configuration, this can disclose source code, secrets present in diffs or logs, internal paths, and other sensitive development context without any explicit consent gate, redaction, or trust validation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script forcefully resets the working tree with 'git checkout -- .' and 'git clean -fd' after repair exhaustion, discarding all uncommitted tracked and untracked changes without user confirmation or scoping. In an agent-driven workflow, this can destroy unrelated local work or generated artifacts if the repository contains more than just the segment under test.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script unconditionally deletes '$PROMPT_FILE' during cleanup, even though it is a user-supplied input path. If the caller passes an important file or symlinked path, the workflow will remove it without prior disclosure, causing data loss outside the script's own temporary artifacts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists full agent output to a predictable log directory under the working tree without any indication of redaction, consent, or access controls. In this skill, agent output can plausibly include source code, prompts, credentials, API responses, or other sensitive deployment data, so automatic disk persistence increases the risk of unintended local disclosure or later exfiltration.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function sends the entire prompt to an external subprocess over stdin, which may forward or process sensitive task context without any boundary checks or disclosure at this layer. In a chained build→ship→verify pipeline, prompts may contain proprietary code, internal instructions, secrets, or deployment details, making unrestricted prompt handoff more dangerous because it crosses a process boundary and may involve third-party tooling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The help text presents the notification feature as a generic shell command without making the security implications explicit. That increases the chance that users will treat untrusted config or copied examples as harmless, leading to unsafe command execution in a privileged automation context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The destructive cleanup in `discard_changes()` occurs without any visible warning, preview, or confirmation. If invoked in the wrong repository or at the wrong time, it can silently destroy a user's uncommitted work, which is especially dangerous in an agent-driven workflow where actions may be automated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.