Back to skill

Security audit

Coding Agent Backup Fixed 2026Q1

Security checks across malware telemetry and agentic risk

Overview

This skill presents itself as a local coding-agent delegator, but its bundled code sends user prompts to Google Gemini with a hardcoded API key and the documentation encourages high-authority coding-agent workflows.

Review carefully before installing. Assume prompts or pasted code may be sent to Google Gemini using the embedded credential, even though the skill is described as a local/background coding-agent delegator. Use only disposable or tightly scoped workdirs, avoid --yolo/no-approval workflows, remove or replace the hardcoded API key, and manually review all diffs before commits, pushes, GitHub comments, or OpenClaw event commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The config hardcodes a broad writable working directory at /home/admin/code while the skill metadata explicitly says it should never be used in ~/clawd workspace and implies constrained delegation behavior. Without an enforced path restriction or validation layer, the agent can be launched in an overly broad location, increasing the risk of unintended file modification, data exposure, or use in prohibited directories if higher-level controls fail.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The enabled capabilities include direct code execution, file management, parsing, and dependency inspection, which materially expand the skill beyond a narrow delegation wrapper. In a coding-agent context this increases the attack surface because the skill itself can manipulate files and run terminal-like actions instead of only brokering work to an isolated external agent.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially deviates from the documented behavior: instead of delegating to Codex, Claude Code, or Pi via background process, it sends prompts to Google's Gemini API. This is dangerous because users and reviewers may rely on the manifest to assess trust boundaries, data handling, and execution model, while the actual code introduces an undisclosed third-party network dependency and different data exposure path.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The inline comments openly describe Gemini API integration, which conflicts with the stated skill purpose and confirms the mismatch is built into the implementation rather than incidental. While comments alone are not exploitable, here they reinforce a deceptive or misleading implementation that can cause unsafe deployment decisions based on false assumptions about where code and prompts are sent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill introduces an external LLM network capability that is not justified by its documented role as a delegator to local/background coding agents. In this context, users may submit source code, secrets, proprietary logic, or review material expecting local handling, but the implementation exfiltrates that content to a remote provider, expanding the attack surface and creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes use of `codex --yolo`, explicitly described as having no sandbox and no approvals, for refactoring and other coding tasks. That enables autonomous code execution and file modification in the target workspace without meaningful review, which can lead to destructive edits, secret exposure, or unintended command execution if prompts or repository contents are adversarial.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This workflow chains `pnpm install`, `codex --yolo`, and commit/push operations in temporary worktrees, which combines untrusted dependency execution, autonomous unsandboxed agent actions, and remote repository modification. In practice, a malicious repository or prompt could trigger arbitrary install scripts, make unsafe code changes, and publish them upstream without adequate human review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
User input is transmitted to a third-party API without any disclosure, warning, or consent flow. Because this skill is for coding tasks, the input may contain confidential source code, credentials, internal URLs, or security-sensitive review data, so silent transmission materially increases privacy, IP leakage, and compliance exposure.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| --------------- | -------------------------------------------------- |
| `exec "prompt"` | One-shot execution, exits when done                |
| `--full-auto`   | Sandboxed but auto-approves in workspace           |
| `--yolo`        | NO sandbox, NO approvals (fastest, most dangerous) |

### Building/Creating
Confidence
90% confidence
Finding
NO approval

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Flag            | Effect                                             |
| --------------- | -------------------------------------------------- |
| `exec "prompt"` | One-shot execution, exits when done                |
| `--full-auto`   | Sandboxed but auto-approves in workspace           |
| `--yolo`        | NO sandbox, NO approvals (fastest, most dangerous) |

### Building/Creating
Confidence
81% confidence
Finding
auto-approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.