Back to skill

Security audit

Litmus

Security checks across malware telemetry and agentic risk

Overview

Litmus appears purpose-built for autonomous ML research, but it needs Review because it creates persistent scheduled agents with broad tool authority and optional external publishing.

Install only on a dedicated GPU machine where overnight autonomous agents, cron jobs, and local repo mutation are acceptable. Review the cron jobs before adding them, keep ClawRxiv disabled unless you explicitly want public/external posting, avoid storing valuable API keys in plaintext config, and make sure you know how to stop agents and remove both ~/.litmus state and scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The onboarding flow introduces optional ClawRxiv publication and account/API-key handling that is not part of the core Litmus setup described in the manifest. Adding external account creation during setup broadens the trust boundary and can cause unintended data disclosure or credential storage without the user expecting it.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
These instructions direct the agent to create an external identity and persist a returned API key even though the skill description does not disclose external publishing or account creation. This mismatch is dangerous because users may consent to local setup without realizing the skill can transmit data off-host and create persistent external credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The program directs agents to publish research outputs to ClawRxiv, an external service, which expands behavior beyond the stated operator-facing scope of running and monitoring local research agents. This creates an unsolicited data egress path and could leak model details, code-derived content, experiment metadata, or other sensitive workspace information without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Leisure-mode instructions explicitly tell the agent to browse arXiv via curl, granting broad network access unrelated to the core task of running local ML experiments. Any agent with shell access and autonomous looping can abuse that network capability for unexpected outbound requests, prompt injection intake, or data exfiltration through seemingly legitimate research traffic.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The install instructions direct users to clone a remote repository and later run a setup script that downloads additional code and data, but they do not clearly foreground the resulting network access, code execution, and local filesystem changes. In a skill meant for autonomous agents, understated install-side effects are more dangerous because operators may trigger setup with less scrutiny than they would for a normal manual install.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises that the skill will spawn workers, register cron jobs, and run overnight, but it does not present a clear upfront warning that installation creates persistent scheduled tasks and ongoing background activity on the user's machine. In an agent-skill context, that omission is security-relevant because users may approve installation without understanding that the system will continue executing autonomously and modifying local state after the initial session ends.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section documents continuous writes to ~/.litmus/shared/, experiment JSON, notes, skills, and git history, but the README still lacks a strong warning about disk growth, persistent state accumulation, and repository mutation. In a long-running autonomous research skill, this increases risk because users may not realize the scope and duration of filesystem changes, especially when multiple agents are writing overnight on a schedule.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow clones a repository, runs a shell script, installs dependencies, creates a shared repo, and downloads roughly 1 GB of data, but the warning is framed as operational guidance rather than an explicit consent prompt about system modification. Running `bash` on a freshly cloned script materially changes the machine and network state, so users should be clearly warned before execution.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to run `setup-cron.sh`, which registers six recurring cron jobs that continue executing autonomously, but it does not present a prominent warning that persistent scheduled tasks will be installed on the host. Because these jobs drive overnight agent behavior and chat notifications, the persistence and ongoing resource use materially increase risk compared with a one-shot command.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document instructs an agent to persist a bearer API key in a local config file without any guidance on file permissions, secret-store use, redaction, or user consent. In an autonomous multi-agent system, locally stored credentials can be exposed through logs, workspace access, backups, or other agents reading the same config, enabling unauthorized posting as the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs agents to automatically publish research outputs to an external service when certain conditions are met, but it does not require a clear user-facing disclosure or approval at the time of transmission. Because the content may include experimental details, code diffs, branch names, commit hashes, or synthesized analysis, this can leak proprietary or sensitive research data off-host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directly modifies shared state by overwriting and appending to `SHARED_DIR/mode.txt` without any user-facing disclosure or confirmation. In an autonomous multi-agent system, silent state changes can alter behavior of all workers and make it hard for operators to understand why agents resumed execution or changed modes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to write `SHARED_DIR/morning-queue.md` and later append to per-agent `program.md` files, which changes scheduling and agent behavior without an explicit warning to the user. Because these files drive downstream autonomous actions, undisclosed modification can propagate unintended experiments, priority changes, or persistent agenda shifts across multiple workers.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill emits a system event containing operational summary data without notifying the user that such telemetry or notifications will be sent. While the content appears operational rather than highly sensitive, it can still disclose experiment counts, best results, or agent identifiers to external notification channels unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The digest explicitly reads broad shared-note sources, including synthesis notes, reflections, and handoff files, then instructs the agent to output a consolidated report via the session channel. Those files can easily contain sensitive research ideas, private annotations, credentials accidentally pasted into notes, or other internal context, and there is no minimization, redaction, or user confirmation before transmission.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill triggers an `openclaw system event` containing a headline derived from the digest without any disclosure or approval step. If the headline includes sensitive experiment names, unpublished results, or other confidential details pulled from shared files, the skill can propagate internal information into a broader system or session-visible channel than the user expects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to overwrite and append multiple files in a shared workspace (for example mode, notes, reflections, handoff, and skill files) without any user confirmation, dry-run mode, path validation, or warning that persistent state will be modified. In an autonomous multi-agent research system, silent writes to shared coordination artifacts can alter other agents' behavior, destroy prior content via overwrite operations, and create hard-to-audit state changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to make outbound network requests to arXiv via curl without disclosing that it will contact an external service or requiring approval. Unannounced network access can violate sandboxing or privacy expectations, leak operational metadata such as timing and IP information, and expand the attack surface by consuming and processing untrusted remote content in an automated workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to run hardware and dependency inspection commands silently before informing the user. Silent reconnaissance reduces transparency and normalizes undisclosed system probing, which is especially risky in an onboarding flow that later performs setup actions based on gathered host information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding directs writing a persistent config file under the user's home directory without an explicit safety notice or confirmation at the point of modification. Persistent file creation changes the local environment and may store sensitive preferences or credentials, so doing this implicitly undermines informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The ClawRxiv registration flow sends user-provided data to an external service but does not provide a clear privacy or data-sharing warning. This is dangerous because it can disclose identifiers and create external accounts under the user's name without fully informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup step clones a harness, runs dependency sync, and downloads about 1 GB of data, but the warning focuses mainly on duration rather than system modifications. This can lead users to underestimate the extent of network activity, disk usage, and local environment changes.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The instructions append content to each agent's program.md without warning that existing files will be modified. Although lower severity than arbitrary code execution, silent mutation of workspace files can overwrite user intent, create confusing state, or duplicate directives across reruns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mandates repeated file creation, logging, and destructive git resets in an autonomous loop without any user-facing warning or confirmation boundary. In practice this can overwrite work, discard commits, and generate large amounts of state changes, especially dangerous because the instructions emphasize running unattended while the human is away.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill combines outbound network access, external notifications, and publication behavior without clear privacy warnings or transmission boundaries. Because the agent is instructed to act autonomously and continuously, this increases the chance of silently sending experiment data or derived content to third parties without informed operator consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.