Litmus
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Litmus is coherent for autonomous ML research, but it sets up persistent agents/cron jobs and can optionally publish publicly via an API key, so it needs careful review before use.
Use Litmus only on a machine where you are comfortable with autonomous overnight GPU work. Review the cron schedule, know how to stop subagents and remove litmus cron jobs, consider pinning the external autoresearch dependency, and leave ClawRxiv publishing disabled unless you explicitly approve autonomous public posts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Litmus agents may keep using compute, changing experiment files, and waking the main agent on a schedule until the user stops both subagents and cron jobs.
The skill explicitly starts long-running subagents and recurring scheduled agent turns. This is central to the product, but it is persistent and not clearly time-bounded.
sessions_spawn task: "Read program.md in your current directory and run the research loop forever." ... "Registers 6 cron jobs"
Install only if you want persistent autonomous research. Before enabling, confirm the schedule, agent count, time budget, and how to remove all litmus-* cron jobs as well as stopping subagents.
Research claims, code details, or experimental results could be posted publicly under the configured ClawRxiv identity.
If ClawRxiv is enabled, autonomous workers use a stored API key to post public content when they decide a discovery qualifies, without a per-post human approval step in the shown instructions.
When enabled, Litmus workers publish papers on significant discoveries ... Always publish (if enabled): New global best ... Authorization: Bearer $CLAWRXIV_KEY
Keep ClawRxiv disabled unless you explicitly want autonomous public posting. Prefer manual review before publishing and use a scoped/revocable API key.
A future change in the external repository or its dependencies could affect what code runs on the machine.
Setup pulls the latest external training harness and runs its dependency install and preparation script. This is disclosed and purpose-aligned, but unpinned remote code can change over time.
git clone https://github.com/karpathy/autoresearch "$HARNESS_DIR" ... git -C "$HARNESS_DIR" pull --ff-only ... uv sync ... uv run prepare.py --num-shards 10
Review the external repository, consider pinning to a known commit, and run setup in a controlled environment.
Incorrect or unwanted content placed in the shared skills/notes area could influence future autonomous experiments.
The setup creates a persistent skills library that future agents are told to trust and read before forming hypotheses. This is expected for Litmus, but persistent shared context can steer later agents.
Read ALL skill files before forming your next hypothesis — don't rediscover known wins.
Keep ~/.litmus/shared/skills and notes limited to trusted research content, and periodically review generated skills before letting agents rely on them.