ClawHub

Kilo CLI Coding Agent

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate coding-agent helper, but it gives background agents broad command and GitHub write authority that users should review carefully before installing.

Install only if you are comfortable supervising a background coding agent with command execution and GitHub write access. Use the narrowest possible GitHub token, avoid actions:write unless needed, run it in a temporary clone or isolated workspace, review every generated comment/push/PR before publishing, and remove secrets, private prompts, internal URLs, and raw session logs from PR text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The advertised purpose says the skill merely runs Kilo CLI in the background, but the body also enables git operations, GitHub authentication, PR review, commenting, pushing, and PR creation. This scope understatement can cause users or higher-level policy systems to authorize the skill without realizing it can perform remote repository write actions and access authenticated resources.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill documents cloning repos, checking out PRs, posting PR comments, and later pushing branches and creating PRs, which is materially broader than 'background Kilo CLI control.' Hidden or under-declared remote write capabilities increase the chance of unintended external side effects under the user's GitHub identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires a GitHub token and gh authentication but does not warn that commands run through the agent may inherit these credentials and use them to read private repository data or perform remote actions. In a background-agent context, credentialed automation without explicit disclosure meaningfully increases the risk of unintended data exposure or account activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented use of `gh pr comment` and `gh pr create` enables remote write operations on external repositories under the user's GitHub account, but the skill does not clearly call out that these are externally visible account actions. Users may treat the skill as local automation while it is actually able to publish content, create artifacts, and affect third-party repos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest requests both network and exec permissions and also requires a GitHub token with broad repo and actions:write access, yet the manifest provides no user-facing warning or justification for these sensitive capabilities. In combination, these permissions enable running arbitrary local commands and transmitting code or credentials over the network, materially increasing the risk of token misuse or unauthorized repository and workflow changes.

Ssd 3

Medium
Confidence
98% confidence
Finding
The PR template instructs users to include exact prompt text, timestamped prompt history, and session logs in external pull requests. Those fields can easily contain secrets, proprietary requirements, internal file paths, private issue context, or other sensitive interaction data, creating a direct exfiltration path from the local agent session to public or shared repositories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal