Back to skill

Security audit

Auto Coding V3

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real autonomous coding workflow, but its metadata and approval controls are broad or inconsistent enough that users should review it before installing.

Install only in repositories you trust and after checking the skill's capability tags and .auto-coding/rules.yaml. Keep .auto-coding out of commits, avoid using it with secrets or confidential code unless your model provider is approved, and run it in a disposable branch or worktree when using architecture/deletion checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while explicitly describing capabilities to read environment configuration, read and write project files, persist state, and potentially execute commands as part of coding/test workflows. This creates a transparency and consent failure: a host or user may grant or invoke the skill without understanding its effective authority, increasing the risk of unintended file modification, command execution, or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose frames the skill as an autonomous coding workflow, but the file also describes additional operational behaviors including state persistence, approval-rule handling, optional external notification flows, scheduler creation when opted in, and release/publish-related actions noted by the scanner. Undisclosed or underemphasized side effects are dangerous because users may authorize a coding assistant without realizing it can create durable local state, interact with external channels, or perform higher-risk lifecycle actions.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README states that the coding workflow automatically creates a cron job and sends Feishu notifications, which extends behavior beyond normal code-generation into persistence and outbound communication. In an autonomous coding skill, undocumented or weakly signposted background tasks and notifications can surprise users, create unauthorized system changes, and leak task metadata externally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reviewer veto path appears broken because the main loop checks for phase_id == "review" while the implemented phase is named "reflection". That mismatch can prevent veto enforcement and rework escalation from triggering as intended, undermining a stated safety/control gate in an autonomous coding workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes automatic cron-job creation and Feishu notifications without an explicit warning that the skill will modify the host's scheduled tasks and perform outbound communication. In this context, that is risky because users may invoke an autonomous coding assistant expecting local code changes only, not persistence mechanisms and network notifications.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are generic ('auto-coding', 'Auto coding', '启动自动编码') and the skill also instructs automatic progression through multiple stages once started. Broad triggers without exclusion conditions can cause accidental activation in normal conversation, leading the skill to begin file reads, writes, planning, or command-oriented behavior when the user did not intend to invoke a powerful autonomous workflow.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The workflow generates and sends a completion notification containing task ID, project directory, requirements, completed phases, and test status without obtaining explicit consent at the point of transmission. In an autonomous coding system, those fields can contain sensitive business context, filesystem paths, or proprietary project details, so silent notification behavior increases data leakage risk to external systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The notifier persists approval metadata, including task ID, operation, file list, and timestamps, to disk in `pending_approval.json` without any disclosure, minimization, or access-control handling. In an agentic coding system, these fields can reveal sensitive project structure, filenames, and operational intent to other local users, processes, backups, or logs if the state directory is broadly accessible.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to perform deletion tests by temporarily deleting modules or replacing them with empty mocks, but it does not require an isolated environment, backups, or a no-commit/no-persist safeguard. In an autonomous coding system, that can damage the working tree, break builds, or cause accidental propagation of destructive edits beyond analysis, especially because this skill is injected late in the workflow as an automatic architecture check.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill explicitly instructs the agent to update `.auto-coding/state.json` and write delivery logs inside the repository, but it does not warn the user that repository files will be modified as part of verification. In an autonomous coding workflow, silent writes to repo-tracked or hidden operational files can create unintended state changes, pollute commits, or overwrite prior run metadata without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This worker automatically writes model-generated code and full model output to disk under a task-specific directory without any approval gate, trust boundary check, or safety labeling. In an autonomous coding system, model output is untrusted input and may contain malicious code, secrets echoed from prompts/context, or harmful instructions that become easier to persist, inspect later, or accidentally execute.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The worker sends task descriptions, prompts, context, and possibly sensitive project material to an external model via call_model without any explicit notice, consent gate, or data-classification check in this file. In an autonomous coding skill, these fields can easily contain proprietary code, credentials, internal architecture details, or customer data, making silent exfiltration to a third-party model a real confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
run_tests embeds source code and test cases directly into the model prompt, which can expose proprietary logic, security-sensitive test fixtures, or hardcoded secrets if present in the code under test. Because this is framed as automated testing inside an agentic coding system, users may reasonably assume local execution rather than external transmission, increasing the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
verify_implementation transmits both requirements and implementation code to the model, which may reveal confidential product plans, internal APIs, and unpublished source code. The risk is heightened because requirements often contain business-sensitive context not otherwise present in code, and there is no visible disclosure or protection control here.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
regression_test sends old and new code versions together with a test suite, which can disclose change history, patch details, and vulnerability fixes before release. Exposing code diffs and tests to an external model can materially increase confidentiality risk because it provides rich context about product internals and security-relevant changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
generate_test_cases transmits source code to the model to synthesize tests, again creating a direct path for external disclosure of proprietary code. In an auto-coding skill that may process arbitrary repositories, this behavior is more dangerous because it can occur repeatedly and at scale without the user realizing code is being exported for analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A network-capable notification component is initialized automatically during workflow setup without explicit consent, disclosure, or an outbound-communications guard at this call site. In an autonomous coding system, even metadata-bearing notifications can leak task details, project structure, or sensitive filenames to external services if later invoked implicitly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The approval request path packages and sends task IDs, project directory context, file lists, and reasons to an external notifier without explicit user disclosure or data-minimization at the send point. In this skill context, the workflow may process proprietary codebases, so leaking filenames, paths, and task descriptions can expose sensitive internal architecture or business intent.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
def _parse_rules(self, data: Dict[str, Any]) -> RuleSet:
        """解析规则数据"""
        auto = data.get("auto_approve", {})
        req = data.get("require_approval", {})
        return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
Confidence
84% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
auto = data.get("auto_approve", {})
        req = data.get("require_approval", {})
        return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
Confidence
83% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
auto = data.get("auto_approve", {})
        req = data.get("require_approval", {})
        return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
Confidence
83% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
req = data.get("require_approval", {})
        return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
            require_approval_delete=req.get("delete", DEFAULT_RULES.require_approval_delete),
Confidence
83% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
req = data.get("require_approval", {})
        return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
            require_approval_delete=req.get("delete", DEFAULT_RULES.require_approval_delete),
Confidence
83% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
            require_approval_delete=req.get("delete", DEFAULT_RULES.require_approval_delete),
            require_approval_run=req.get("run", DEFAULT_RULES.require_approval_run),
Confidence
86% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
return RuleSet(
            auto_approve_edit=auto.get("edit", DEFAULT_RULES.auto_approve_edit),
            auto_approve_run=auto.get("run", DEFAULT_RULES.auto_approve_run),
            auto_approve_create=auto.get("create", DEFAULT_RULES.auto_approve_create),
            require_approval_edit=req.get("edit", DEFAULT_RULES.require_approval_edit),
            require_approval_delete=req.get("delete", DEFAULT_RULES.require_approval_delete),
            require_approval_run=req.get("run", DEFAULT_RULES.require_approval_run),
Confidence
86% confidence
Finding
auto_approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.