Back to skill

Security audit

LOOP

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks an agent to run a broad automated development loop that can edit code, create commits, spawn sub-agents, and modify agent/review rules with incomplete activation and consent boundaries.

Install only in repositories where you intentionally want an agent to edit files, run tests, create commits, and coordinate review sub-agents. Review the installer first, use a clean branch, keep human approval gates enabled before push or rule changes, and avoid enabling automatic development-loop detection in sensitive repos unless you can clearly control when it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill markets itself as a one-prompt self-iteration development loop, but the documented behavior includes installation prerequisites and broad orchestration language without clearly delimiting what will actually run automatically. This mismatch can mislead users into enabling a skill that may trigger code-writing, commits, and review workflows with a different operational scope than they expect, increasing the chance of unsafe automation in a development environment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger set is broad and overlaps with common software-development requests such as automatic development, review, and starting a development loop. In an agent platform, overly broad activation can cause the skill to load in ordinary coding contexts and steer the session toward autonomous code modification and orchestration the user did not explicitly request.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The statement that the skill is 'automatically ready' and loads when the agent detects a development-loop scenario is ambiguous about the exact conditions for activation. Ambiguous auto-loading in a skill capable of coordinating code changes and commits increases the risk of unintentional execution in sensitive repositories or workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description emphasizes convenience and automation but does not clearly warn that activation may lead to code changes, git commits, audit runs, and multi-agent orchestration. Users may invoke it expecting advisory assistance and instead permit state-changing actions in their repository, which is particularly risky in a self-iterating development skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description claims that a single prompt can trigger an entire self-iterating development loop, including coding, audit, review, and human stages, without defining any concrete activation constraints or guardrails. In a skill that automates code generation and review, this broad invocation language increases the risk of unintended activation, overbroad delegation, or unsafe autonomous behavior if the host platform relies on metadata or natural-language descriptions for discovery or routing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to execute a local shell installer (`bash LOOP/loop-install.sh`) without any warning, integrity guidance, or explanation of what the script changes. In an agent-oriented workflow where users may follow setup steps automatically, this increases the risk of running unreviewed code that can modify the environment, install persistence, or alter security-sensitive configuration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to run another installer script (`bash FDE/fde-install.sh`) with no safety notice or description of system modifications. Because this skill promotes automated self-iteration and agent-driven workflows, users may be primed to trust and execute such commands quickly, making undocumented installer behavior more dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
LOOP.md:140