ClawHub

openclaw-kilo-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Kilo automation helper, but it repeatedly encourages hands-free code and browser actions without enough safety limits.

Install only if you intentionally want OpenClaw to delegate powerful tasks to Kilo. Keep runs constrained to trusted workspaces and domains, avoid `--auto` for destructive changes, account actions, secrets, form submissions, or sensitive browsing, review MCP packages before enabling them, and start fresh sessions when switching users, credentials, or security contexts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs browser automation against arbitrary external URLs but provides no safeguards around data exposure, domain trust, credential handling, or user confirmation. In a skill whose purpose is autonomous browser control, this omission can lead to unintended transmission of sensitive context, interactions with untrusted sites, or execution of risky web actions without adequate review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to always use `--auto` promotes unattended execution and suppresses permission checkpoints that would otherwise help catch destructive or privacy-impacting actions. In this skill's context—where Kilo can edit code, use MCP tools, and drive browsers—auto-approval materially increases the chance of unsafe file changes, data exfiltration, or harmful web interactions proceeding without human review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly recommends using Kilo's `--auto` flag to bypass interactive permission prompts without any safety warning, scoping guidance, or restrictions. In the context of a coding and browser automation agent that can edit files, invoke tools, and use MCP servers, encouraging blanket auto-approval increases the chance of unauthorized or overly broad actions being executed without user review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly recommends running Kilo with `--auto`, which removes interactive approval for code, browser, and file operations. In a skill designed to orchestrate browser automation and multi-file edits, unattended execution can amplify prompt injection, unsafe navigation, destructive file changes, or unintended external actions without a human checkpoint.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal