Agent Autonomy Kit Zc
Security checks across malware telemetry and agentic risk
Overview
This is a transparent autonomy template, but it asks agents to keep running scheduled, self-directed work from shared queues and team channels without enough guardrails.
Install only if you intentionally want an agent to run on a schedule and keep working without prompts. Before enabling cron or heartbeats, define approved task sources, forbidden actions, allowed files/accounts, spending/token limits, channel privacy rules, logging, and a simple way to pause or remove the automation.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could keep consuming tokens, editing files, logging memory, and taking queue-driven actions after the user stops interacting with it.
The documentation explicitly promotes persistent, scheduled autonomous operation without human prompting.
Continuous Operation — Work until limits hit, then sleep ... These run automatically — no human prompt needed.
Only enable cron or heartbeat automation with explicit limits: allowed task types, allowed directories/accounts, maximum run counts, active hours, logging, and an easy kill switch.
A broad queued task could lead to multiple autonomous agents acting in parallel with unclear approval boundaries.
A scheduled system event is instructed to start parallel agent work, but the artifacts do not constrain what actions, tools, or approvals apply to those spawned agents.
--system-event "Morning kickoff: Review task queue, pick top priorities, spawn team members for parallel work."
Require human approval before spawning agents, posting externally, modifying repositories, touching production systems, or performing account-changing actions.
A mistaken, stale, or untrusted queue entry could steer future automated sessions and be reinforced through memory or handoff notes.
The persistent task queue becomes an instruction source for future autonomous work, and the docs do not define provenance, approval, or trust boundaries for queued tasks.
Any agent can pick up a "Ready" task ... Add new tasks as you discover them
Treat task queues and memory as untrusted input: record who added each task, require user approval for new work, and separate ideas from approved executable tasks.
Sensitive progress details or untrusted channel messages could influence agent behavior if the channel is not tightly controlled.
External team-channel coordination is disclosed and purpose-aligned, but the artifact does not specify identity verification, channel permissions, or what data must not be shared.
Agents communicate through Discord (or configured channel): Progress updates; Handoffs; Blockers; Discoveries
Use a dedicated private channel, verify participants, avoid posting secrets or private user data, and define which channel messages can create tasks.
Following the clone instruction may install files or instructions that were not included in this review.
The reviewed package is instruction-only, but the README recommends cloning external repository content that is outside the provided artifact set.
git clone https://github.com/reflectt/agent-autonomy-kit.git skills/agent-autonomy-kit
Inspect the repository before cloning, pin a specific commit or release, and verify it matches the skill you intended to install.