Security audit

Agent Autonomy Kit Zc

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about enabling autonomous agents, but it promotes unattended scheduled work, file updates, team spawning, and external status posts without enough guardrails.

Install only if you intentionally want an agent to keep working from a task queue on a schedule. Before enabling cron, heartbeats, team spawning, or channel posting, define approved task sources, allowed directories/accounts, forbidden actions, token/spend limits, logging, review gates for high-impact work, and a clear way to pause or remove the automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly instructs the agent to read from a task queue, perform work, and update queue and memory files, but it does not warn users that this changes workspace state automatically and may modify user-managed files without an explicit prompt each time. In an autonomy-focused skill, silent file mutation is materially risky because it normalizes background edits and can lead to unintended overwrites, confusing state changes, or propagation of bad instructions from the queue into the repository.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages posting updates to Discord/Slack team channels and coordinating externally, but provides no warning about disclosure of sensitive data, internal project details, or user content to third-party services. Because the kit is designed for continuous autonomous operation, the absence of privacy and egress guidance increases the chance that agents exfiltrate workspace-derived information during routine status updates or handoffs.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The cron examples schedule autonomous work sessions and reporting that run without a human prompt, including task execution and team-spawning behavior, yet the README does not clearly warn that these actions will occur automatically or describe their operational and privacy consequences. In this skill's context, the whole purpose is to bypass prompt-driven control, so unattended execution materially raises the risk of unintended edits, excessive resource use, and unreviewed outbound communication.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The phrase 'Transform your agent from reactive to proactive' promotes self-directed operation without stating what events, permissions, or user approvals constrain that behavior. In an agent-skill context, ambiguous proactive language can cause an agent to continue acting beyond the user's immediate request, increasing the risk of unauthorized changes, unintended external actions, or persistence of unsafe workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The quick-start guidance explicitly recommends cron jobs, heartbeat-driven work, and 'continuous operation' but does not warn users that this can enable unattended automated actions. In practice, this creates a meaningful safety risk because an agent may keep making changes, consuming resources, or interacting with systems while no human is supervising, especially when paired with a task queue and instruction to 'Watch work happen without prompting.'

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal