Auto Coding V3

Security checks across malware telemetry and agentic risk

Overview

This skill is an autonomous coding workflow, but it also sets up background monitoring and outbound notifications with more authority than users may expect.

Review this carefully before installing. Use it only in a disposable or well-controlled development workspace, with no secrets in project files or prompts, and only if you explicitly want automatic file writes, model submission of code context, status persistence, and scheduled monitoring. After use, check and remove any OpenClaw cron jobs and .auto-coding state/log files you do not want retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (22)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) # 安全透明：记录 cron 创建操作 print(f" 📡 子进程调用：openclaw cron add --name {cron_name} --every 5m") subprocess.run([ "openclaw", "cron", "add", "--name", cron_name, "--every", "5m",
Confidence: 95% confidence
Finding: subprocess.run([ "openclaw", "cron", "add", "--name", cron_name, "--every", "5m", "--message", cron_message,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 安全透明：记录子进程调用 print(f" 📡 子进程调用：openclaw infer model run --model {model} --prompt ({len(prompt)} chars)") result = subprocess.run( [ "openclaw", "infer", "model", "run", "--model", model,
Confidence: 88% confidence
Finding: result = subprocess.run( [ "openclaw", "infer", "model", "run", "--model", model, "--prompt", prompt,

eval() call detected

High

Category: Dangerous Code Execution
Content: # eval 不安全 → 用受限命名空间、已知语法子集缓解 # 所有外部输入已被替换为 repr() 安全字面量 try: result = eval(expr, {"__builtins__": {}}, {}) return bool(result) except Exception: return False
Confidence: 96% confidence
Finding: result = eval(expr, {"__builtins__": {}}, {})

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: import subprocess result = subprocess.run(cmd, capture_output=True, text=True, check=True) print(f"\n✅ Cron 监控已创建: {cron_name}") print(f" 每 5 分钟检查一次") print(f" 命令: openclaw cron show {cron_name}")
Confidence: 93% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, check=True)

Direct flow: os.environ.get (credential/environment) → subprocess.run (code execution)

High

Category: Data Flow
Content: ) # 安全透明：记录 cron 创建操作 print(f" 📡 子进程调用：openclaw cron add --name {cron_name} --every 5m") subprocess.run([ "openclaw", "cron", "add", "--name", cron_name, "--every", "5m",
Confidence: 92% confidence
Finding: subprocess.run([ "openclaw", "cron", "add", "--name", cron_name, "--every", "5m", "--message", cron_message,

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The code's safety disclosure claims it does not read sensitive configuration, but elsewhere it does read external notification-related environment variables. This mismatch is security-relevant because deceptive or inaccurate disclosure reduces informed consent and can hide data-flow risks from users reviewing the skill.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill is presented as an autonomous coding workflow, but it also performs cron management and notification setup, which exceed the expected scope of code generation. In a skill ecosystem, this capability mismatch is dangerous because users may grant access expecting coding assistance, not persistent scheduling or outbound messaging.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Embedding cron creation/deletion inside a coding workflow gives the skill persistence and system-task management powers unrelated to its primary purpose. In agent contexts this substantially raises risk because a compromised or prompt-influenced workflow could schedule repeated external actions over time.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The workflow creates and deletes system cron jobs, extending the skill from code assistance into system-level task scheduling. In an agent context this is dangerous because it gives the skill persistence and out-of-band execution capability beyond the user-visible interactive session, increasing the chance of covert follow-on actions or abuse.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The generated cron job is explicitly granted both exec and message tools, allowing future external command execution and outbound notifications on a schedule. In a coding skill this materially expands authority and creates a bridge from code generation into autonomous execution and exfiltration-like messaging behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly states that the workflow will automatically create a cron job and send Feishu notifications, but it does not present this as a sensitive side effect requiring clear user awareness, opt-in consent, or operational safeguards. In an agent skill context, undocumented or under-warned background persistence and outbound messaging can surprise users, continue running after the main task ends, and leak task metadata or project status to external systems.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad phrases like '写代码', '开发', and 'coding', which are common in normal conversation. Overly broad activation increases the risk of accidental invocation, causing the autonomous workflow to start, read project context, write files, or advance through multi-step behavior when the user did not intend to launch this skill.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The methods create and delete cron jobs without an in-method confirmation barrier or user acknowledgment at the moment the side effect occurs. A startup disclosure is not equivalent to explicit consent for persistent system changes, especially in automated agent runs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to perform 'deletion tests' by temporarily deleting a module or replacing it with an empty mock, but it does not require isolation, backups, disposable branches, or a non-production environment. In an autonomous coding workflow, that omission can cause broken builds, accidental commits of destructive changes, or disruption to systems and data if the agent applies the instruction in a live or shared workspace.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill instructs the agent to write log files into the workspace automatically, but does not clearly warn the user that it will modify project files. In an agent setting, silent workspace writes can create unintended file changes, pollute repositories, and alter CI or review state without informed user consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs execution of repository inspection and test commands such as git and test-suite runs without warning about side effects or execution boundaries. Even seemingly routine commands can consume resources, trigger hooks/scripts, touch networked dependencies, or expose secrets through tooling behavior, making undisclosed command execution risky in an autonomous coding skill.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill explicitly instructs the agent to update .auto-coding/state.json and write delivery logs, but it does not require any user notification, consent, or scoping check before modifying local persistent state. In an autonomous coding workflow, silent writes can alter execution state, create misleading audit trails, or leave unexpected artifacts on disk, which is a genuine safety issue even if the writes are operational rather than overtly malicious.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: Generated model output is automatically written to disk without any visible consent, disclosure, or sensitivity checks. In an autonomous coding context, prompts, context, or generated code may contain secrets, proprietary source, or vulnerable snippets, so silent persistence increases the chance of local data exposure and unintended retention.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow creates background cron jobs without a clear just-in-time user warning or consent at the moment the behavior occurs. Silent background scheduling is risky in agent systems because users may not realize the skill has established persistent monitoring and notification behavior outside the main run.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The worker stores up to 1000 characters of raw model output in the scratchpad without redaction. Because the model output is derived from task description, prompt, context, code, and test results, it can include sensitive user data, proprietary source code, secrets, or error details that are then persistently retained and resurfaced to other components or later runs.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: DEFAULT_RULES = RuleSet( auto_approve_edit=["src/*", "test/*", "tests/*", "docs/*", "*.md", "*.html", "*.css", "*.js", "*.py", "*.json"], auto_approve_run=["npm test", "npm run test", "pytest", "python -m pytest", "npm run build"], auto_approve_create=["src/*", "test/*", "docs/*"], require_approval_edit=["config/*", ".env*", "*.config.js", "*.config.ts", ".github/*"],
Confidence: 92% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # 再检查是否自动通过 for path in file_paths: matched = False for pattern in rules.auto_approve_edit: if fnmatch.fnmatch(path, pattern): matched = True break
Confidence: 94% confidence
Finding: auto_approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal