AI CEO Automation

Security checks across malware telemetry and agentic risk

Overview

The skill is not visibly malware, but it asks users to enable broad GitHub automation from an external repository without enough safety controls.

Review carefully before installing. Use a test repository first, inspect the external repository's workflows and scripts, avoid enabling "Allow all actions" in production, restrict GITHUB_TOKEN permissions, require human approval for customer-facing replies and deployments, avoid adding production secrets until reviewed, and disable scheduled jobs you do not explicitly need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs users to enable broad GitHub Actions automation ('Allow all actions') and describes automated reply, deployment, and hourly-check workflows without any warning about repository-state changes, public content publication, or permission scoping. In the context of an 'AI CEO' automation skill, this increases risk because users may deploy unattended workflows that modify issues, publish pages, or trigger recurring actions with excessive trust and insufficient review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal