Windowed Autonomy

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not malware, but it needs review because it gives an agent broad scheduled autonomy, off-hours urgent overrides, and persistent memory/goal-writing behavior without clear safety boundaries.

Install only if you intentionally want scheduled autonomous work. Before enabling it, remove or replace the hard-coded MONEY goal, define exactly which queued tasks the agent may perform, require approval for destructive/external/account-affecting actions and off-hours urgent work, and review or limit the memory/checkpoint files it will write.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill presents outside-window behavior as effectively disabled autonomy, but separately introduces an urgent-task override that resumes autonomous work even when autonomy is supposedly off. This inconsistency can cause operators to rely on a safety boundary that is not real, allowing unscheduled actions to occur during periods intended for passive standby only.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The overnight routine states 'no autonomous work' and 'HEARTBEAT_OK only,' yet the skill also instructs the agent to check for urgent items and execute them autonomously overnight. That contradiction weakens operator control, increases the chance of unintended task execution during maintenance windows, and can bypass expected quiet-hours safeguards.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file materially broadens a time-windowed task-queue skill into a persistent memory/checkpointing system that stores ongoing session state, user goals, constraints, and recovery instructions on disk. That expansion is security-relevant because it creates durable state outside the narrow scheduling purpose, increasing data retention and the chance that sensitive context is persisted or later reused inappropriately.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The instructions repeatedly direct the agent to read and write `memory/episodic/[today].md` and other memory files even though that behavior is not justified by the stated function of windowed autonomy scheduling. Unnecessary file I/O against persistent memory increases the attack surface for data leakage, cross-task contamination, and unauthorized retention of user/project context.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The heartbeat file extends behavior beyond narrow time-window queue handling by instructing updates to GOALS.md and storing general learnings. That broadens the skill’s authority from scheduling into persistent project-state modification, creating an avenue for unintended self-directed changes, goal drift, or persistence of misleading data without an explicit approval boundary.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill explicitly claims autonomy is restricted to configured daytime windows, but the urgent-task override creates an unbounded exception that permits autonomous action at any time. Because 'urgent' is defined broadly ('deadline < 6h, emergency') and there are no approval, scope, or action constraints, this weakens the safety boundary and can be used to trigger off-hours autonomous behavior unexpectedly.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document presents overnight autonomy as 'OFF (standby),' but later instructs the agent to handle urgent tasks immediately overnight. This contradiction can cause operators or downstream systems to rely on a false safety assumption, leading to autonomous actions when the system is believed to be inactive.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The checkpoint protocol instructs writing detailed session contents—including task status, human goals, constraints, preferences, open questions, and notes—to disk before responding, with no warning, consent, redaction guidance, or sensitivity filter. This can persist confidential user data and operational context in plain project memory files, making accidental disclosure or later misuse significantly more likely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to write checkpoint and status data into project files automatically, but provides no user-facing notice, consent check, or safety boundary around modifying repository state. In an autonomous workflow, silent writes can overwrite or pollute operational memory and project artifacts, especially when triggered routinely and non-blockingly.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The instruction 'Heartbeat triggers' is underspecified and does not define the event source, trust boundary, frequency enforcement, or authentication for activation. In agent systems, vague trigger semantics can lead to accidental or repeated task execution, especially if multiple components interpret heartbeat events differently.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The urgent-task override allows immediate autonomous work on tasks described only as 'URGENT: [task description]' without constraining task type, safety class, or required review. That makes the queue a weak control plane: anyone or any process able to write an urgent item can potentially trigger broad autonomous behavior outside normal scheduling safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal