Agent Autonomy Kit
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill is transparent about making the agent keep working, but it encourages unattended recurring agent activity that needs careful boundaries before use.
Install only if you intentionally want an agent to run recurring autonomous work. Before enabling cron or heartbeat changes, limit the task queue to safe work, require approval for code changes, deployments, purchases, public posts, deletions, or account actions, use isolated sessions where possible, avoid secrets in memory or chat channels, and verify the GitHub repository before cloning.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue acting on queued work while the user is away, using the agent's existing tools and context.
The cron section explicitly encourages recurring autonomous operation without a fresh human prompt, creating persistent background agent behavior.
These run automatically — no human prompt needed.
Only enable scheduled runs after defining safe task types, active hours, approval requirements, monitoring, and a clear way to pause or remove the cron jobs.
A scheduled job could trigger additional agents or tool use under the user's current agent environment without per-run review.
The documented setup schedules a main-session system event that can spawn team members for parallel work, but the artifacts do not define approval gates or task-type limits for that automation.
--session main \ --system-event "Morning kickoff: Review task queue, pick top priorities, spawn team members for parallel work." \ --wake now
Prefer isolated sessions, require confirmation before spawning agents or mutating important systems, and restrict the queue to low-risk tasks unless a human approves.
The agent may do additional work the user did not explicitly request at that moment.
The heartbeat intentionally changes the agent's stopping condition from completing a single request to selecting more work from a queue; this is disclosed and purpose-aligned, but should be bounded.
If time/tokens remain, pick another task
Keep the task queue curated, require human approval for sensitive tasks, and instruct the agent to stop when task priority or safety is unclear.
Incorrect, stale, or maliciously edited queue or memory entries could influence later autonomous work.
The skill relies on persistent memory and task-queue files that future runs will read and act on.
- [ ] Log what you did to `memory/YYYY-MM-DD.md` - [ ] Update task queue with new tasks discovered
Restrict write access to task and memory files, review them regularly, and treat their contents as untrusted instructions unless verified.
Task details, blockers, or progress updates may be shared to Discord/Slack, and other agents may act on those messages.
External team channels are a disclosed part of the workflow, but they create a data-sharing and coordination path between agents.
Agents communicate through Discord (or configured channel): - Progress updates - Handoffs
Use private channels, avoid posting secrets or sensitive data, and verify which agents and humans can read or write to the coordination channel.
A user could follow a clone command for a repository different from the advertised homepage/source they expected.
The README directs users to clone from the reflectt GitHub organization, while the skill metadata/homepage references itskai-dev; this is a provenance inconsistency users should verify.
git clone https://github.com/reflectt/agent-autonomy-kit.git skills/agent-autonomy-kit
Confirm the intended repository, owner, and commit before cloning or installing anything outside the reviewed artifact bundle.