Back to skill

Security audit

Kilo CLI Coding Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate coding-agent skill, but it gives background agents broad command and GitHub write authority that needs careful review.

Install only if you are comfortable supervising a background coding agent with local command execution and GitHub write access. Use the narrowest GitHub token possible, prefer isolated temporary clones or worktrees, review every comment, push, and PR before publishing, and remove secrets, private prompts, internal paths, and raw session logs from any externally visible text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly recommends posting review results to GitHub with `gh pr comment` after collecting output from background agent runs, but it does not require an explicit user confirmation before publishing externally visible content. In an agentic workflow, generated review text may contain inaccurate, sensitive, or unintended content, so automatic commenting increases the risk of unreviewed public disclosure or disruptive repository activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions direct the agent to `git push` and `gh pr create` as part of the normal workflow without an explicit consent gate for modifying remote repositories. In practice, this can cause unintended branch publication, accidental disclosure of work-in-progress changes, or creation of external artifacts the user did not mean to publish.

Ssd 3

Medium
Confidence
97% confidence
Finding
The PR template instructs inclusion of the exact original prompt, timestamped prompt history, and session logs in external pull requests. That can leak secrets, internal paths, proprietary requirements, private debugging context, or other sensitive user-provided or agent-observed information into a public or shared repository in plain language.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **Respect tool choice** — if user asks for Kilo CLI, use Kilo CLI. NEVER offer to build it yourself!
2. **Be patient** — don't kill sessions because they're "slow"
3. **Monitor with process:log** — check progress without interfering
4. **--full-auto for building** — auto-approves changes
5. **vanilla for reviewing** — no special flags needed
6. **Parallel is OK** — run many Kilo CLI processes at once for batch work
7. **NEVER start Kilo CLI in ~/openclaw/** — it'll read your soul docs and get weird ideas about the org chart! Use the target project dir or /tmp for blank slate chats
Confidence
81% confidence
Finding
auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.