Security audit

Apollo Autophagy

Security checks across malware telemetry and agentic risk

Overview

This is an openly destructive cleanup skill, but its instructions give agents broad deletion authority with ambiguous triggers and retained context snapshots/logs that users should review before installing.

Install only if you intentionally want an agent to assist with destructive cleanup. Before using it, require a visible dry run, explicit approval for every deletion target, no automatic cleanup from token thresholds, and review any separate autophagy.sh implementation before running it. Treat snapshots and cleanup logs as sensitive because they may preserve context you expected to remove.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill is described as a destructive cleanup tool, but the documented behavior also includes scanning workspace and /tmp content, scoring items, generating reports, and persisting results to state.json. This mismatch is security-relevant because users and orchestrators may authorize a deletion-only skill without realizing it also inventories and stores contextual data, expanding data handling beyond the stated purpose.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document gives conflicting rules for large-scale destructive cleanup: one section suggests token-threshold-based automatic warning/triggering, while another says it can only occur on explicit user request. In a destructive skill, such ambiguity can lead an agent or implementation to choose the less safe interpretation and perform irreversible deletion without clear user intent.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill inconsistently states whether small cleanup requires user confirmation, with one section requiring confirmation and another allowing execution without it. For a skill that deletes files, this inconsistency can cause accidental destructive actions when different components or operators follow different sections of the spec.

Vague Triggers

High

Confidence: 97% confidence
Finding: The activation conditions include broad natural-language concepts like cleanup, delete, reset, clear, destroy, and degraded context states, which are common in many non-destructive conversations. In the context of a destructive skill, overly broad triggers materially increase the chance of unintended invocation and downstream file or context deletion.

Vague Triggers

High

Confidence: 97% confidence
Finding: The manifest lists ambiguous one-word activators for a destructive capability, making accidental routing highly plausible. Because this skill is designed to delete data and context, permissive trigger vocabulary is more dangerous here than in a read-only or advisory skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The automatic activation conditions are unclear about whether token-threshold and context-damage conditions should merely warn or actually invoke cleanup. This ambiguity is dangerous because implementers may treat environmental conditions as authorization to delete state without a direct user command.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The acceptance criteria allow cleanup based on hard-threshold automatic triggers without a uniform confirmation requirement. For a destructive system, allowing automatic progression from threshold detection to cleanup creates a real risk of unauthorized deletion, especially under high-token or degraded-context conditions when the system is already less reliable.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill requires creating snapshots of current context before destructive cleanup and storing them for seven days. While intended for recovery, this preserves sensitive user/context data during a deletion workflow, creating a secondary data-retention surface that could expose information contrary to user expectations of 'cleanup' or 'reset'.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The mandatory cleanup log records retained user preferences, task state, and cleanup details in plain language. Logging this information during destructive operations can create durable records of sensitive context and user data, undermining privacy and increasing exposure if the log path is accessible or insufficiently protected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal