Back to skill

Security audit

Autopilot 自动循环编排引擎

Security checks across malware telemetry and agentic risk

Overview

This is a coherent autonomous coding skill, but it defaults to broad file-changing execution with sandbox and permission bypasses, so it should be reviewed carefully before use.

Install only if you intentionally want a multi-round coding agent that can modify repositories, run commands, and send task context to external model providers. Use it on a clean branch or disposable checkout, remove the sandbox/permission bypasses for routine use, protect the Anthropic API key, and periodically delete task artifacts if they contain private code, logs, diffs, or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill claims a separated Plan→Build→Verify architecture, but explicitly permits the orchestrator to take over and directly modify files when other agents fail. That collapses the intended trust boundary and gives a broader, higher-privilege component direct write access, increasing the chance of unsafe or unreviewed changes during failure handling.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document states the Planner is read-only, but the alternative stream-json mode invokes Claude with tools enabled and does not clearly constrain those tools to non-mutating operations. This creates a mismatch between documented safety guarantees and actual execution behavior, allowing the planning phase to potentially perform writes or side effects.

Vague Triggers

High
Confidence
86% confidence
Finding
The trigger conditions include broad natural-language phrases such as '自动执行' and '帮我自动完成', which can match ordinary user requests and invoke a powerful autonomous workflow unexpectedly. In the context of a skill that can run multi-round planning and code modification, overbroad activation materially increases the risk of unintended high-impact execution.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The matching rule at this location does not fully align with the broader trigger description earlier, leaving activation boundaries ambiguous. Ambiguity in when an autonomous, file-modifying orchestration skill activates can cause accidental invocation or inconsistent enforcement of safer single-step alternatives.

Missing User Warnings

High
Confidence
97% confidence
Finding
The build command uses '--dangerously-bypass-approvals-and-sandbox', explicitly disabling key runtime protections while allowing code-writing execution in the target working directory. In an autonomous loop that may run multiple rounds, this greatly amplifies the blast radius of prompt mistakes, malicious repository content, or unsafe generated commands.

Missing User Warnings

High
Confidence
96% confidence
Finding
The recovery command uses '--dangerously-skip-permissions' without an explicit safety warning or approval requirement. Embedding a permission-bypass fallback in troubleshooting guidance normalizes unsafe execution and can lead operators to disable safeguards precisely when the system is already in an abnormal or poorly understood state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.