Coding Agent Backup Fixed
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is risky because it contains undisclosed Gemini API code with a hard-coded key and encourages background coding agents that can act without approvals.
Review this carefully before installing. Avoid using it in important repositories unless you understand and accept the background agent behavior, remove or replace the hard-coded Gemini API key, and run any coding agents only in disposable worktrees or tightly scoped project directories.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install this expecting local/selected coding CLIs, while prompts may instead be processed through an undeclared Gemini API path if this code is used.
The SKILL.md and registry describe delegation to Codex, Claude Code, OpenCode, or Pi, but the included code calls Google Gemini instead. That mismatch could make users trust a different provider/data path than the one actually present in the artifact.
this.modelUrl = "https://generativelanguage.googleapis.com/v1/models/gemini-3.1-pro:generateContent";
Align the description, metadata, and code. Clearly disclose every model provider used and remove unused or contradictory implementation files.
The skill may operate under an embedded credential that users do not control, and the exposed key can be revoked, abused, or billed outside the user's expectations.
A Google API key is hard-coded in the package even though the registry declares no required environment variables, primary credential, or Google credential setup.
this.apiKey = "AIzaSyCKWmPmAkZWvI2KiblawWPUESyCp9dEjk0";
Remove the hard-coded key. Require a user-supplied environment variable or OAuth flow, document the provider and scopes, and avoid publishing secrets in skill files.
Coding requests, snippets, or proprietary project details typed into the agent could be transmitted to Google without the user realizing this skill includes that path.
The code sends the user's prompt to the Gemini API, but this provider data flow is not declared in the registry requirements or reflected in the advertised Codex/Claude/Pi workflow.
contents: [{ parts: [{ text: prompt }] }]Disclose external data transmission prominently, require explicit user consent before sending prompts or code to a provider, and document retention/privacy expectations.
A background coding agent could modify many files or run project commands without step-by-step confirmation, especially in sensitive repositories.
The documented workflow launches a coding agent in the background using a mode described in the same file as having no sandbox and no approvals.
bash pty:true workdir:~/project background:true command:"codex --yolo 'Refactor the auth module'"
Default to sandboxed, reviewable workflows. Require explicit user approval before --yolo/no-approval modes, use temporary worktrees, and keep background sessions easy to monitor and stop.
Users and reviewers may have a harder time confirming which package version and runtime behavior they are actually installing.
The registry metadata reports version 1.1.1 while the packaged _meta.json reports 1.1.0, and the package includes a runnable index.js despite having no install spec. This is not proof of malicious behavior, but it weakens provenance clarity.
"version": "1.1.0"
Publish consistent metadata, document whether index.js is used, and remove unneeded files from instruction-only skills.