Back to skill

Security audit

Agent Execution Guard

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent open-loop workflow guard, but it under-discloses network transmission, Telegram messaging, and local state writes while repeatedly presenting itself as no-write/local-only.

Install only if you are comfortable with local work-signal state being stored under .worldloops, and with some commands sending signal content to the WorldLoops API. Treat Telegram support as a live external integration, not a purely local demo, and avoid running broad brief commands on sensitive inbox or workspace data unless you have reviewed the files and configured storage/API settings intentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (47)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README asserts that the Telegram demo wrapper does not connect to any external API, yet the documented setup requires a Telegram token and running a polling bot. This is a security-relevant misrepresentation because operators may trust the skill as strictly local/read-only while enabling a live networked integration that transmits data to Telegram and expands the attack surface.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function returns `externalWrite: false` even though it writes proposals, transition receipts, and open-loop state to disk via the local storage helpers. In an agent-safety context, misreporting write behavior can undermine policy enforcement, auditing, and user trust by causing callers to treat a state-mutating operation as side-effect free.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation transmits input.signals to a remote WorldLoops API while advertising safety in terms of externalWrite:false. That flag only states the returned object claims no external writes, but the network call itself sends potentially sensitive agent work signals off-box, creating a mismatch between the safety claim and actual data-flow behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This module writes notification state to a local file, which conflicts with the stated guarantee of preserving externalWrite:false. In an agent setting, that mismatch matters because users or host systems may rely on the manifest to enforce non-persistence, and silent disk writes can leak operational metadata or violate sandbox/policy assumptions.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Allowing WORLDLOOPS_DIR to override the storage path gives external process environment control over where files are read and written. While this is often used for configurability, in an agent/runtime context it can redirect state into sensitive or unexpected locations, increasing the risk of policy bypass, data exposure, or interference with other files.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code writes suppression receipts to the local filesystem while labeling outputs with `safety: { externalWrite: false }`, which can create a misleading safety boundary for callers that interpret the skill as non-persistent or side-effect free. In an agent setting, local writes are still state-changing I/O and may violate policy assumptions, enable unreviewed persistence of potentially sensitive observation data, and make downstream governance inaccurate.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The intake path does more than passive observation classification: it can transition existing loop state based on heuristic text matching and user-provided `relatedContext.existingLoopKey`. That means untrusted observations can mutate previously stored workflow state, potentially closing, snoozing, or escalating loops incorrectly and undermining integrity of the agent's task-tracking layer.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script writes local state by saving proposals, transition receipts, and open-loop state while presenting itself as safe under an `externalWrite:false` framing. Even if no third-party system is modified, these local commits can materially change agent behavior, create durable records from untrusted input, and mislead operators into treating the run as side-effect free.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The user-facing message says `No external system changed` and labels the operation as safe, but the surrounding logic performs local persistence and local commits. This can cause users, higher-level agents, or policy layers to incorrectly assume the action is non-mutating, enabling unsafe trust decisions and hidden state changes from attacker-controlled signals.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script repeatedly labels the operation as having `externalWrite: false` and says no external action is taken, but it later persists a newly created execution plan via `saveExecutionPlan(plan)`. Even if the write is only to local disk, this is still a state-changing side effect that can mislead an agent, orchestrator, or user into treating the command as dry-run or non-mutating when it is not.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The final console output states 'Plan ≠ Execution. No external writes.' immediately after the script has already created and stored a plan on disk. In an agent-skill context, misleading safety messaging is dangerous because downstream automation may rely on these assurances to permit actions that actually mutate local state, undermining guardrails and audit expectations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code performs outbound HTTPS requests to the Telegram Bot API for polling and sending messages, which is an external side effect. That directly contradicts the skill’s stated safety property of preserving externalWrite:false, creating a misleading trust boundary and enabling exfiltration of user/system-derived content to Telegram.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety labels state that no external changes were made and repeatedly assert externalWrite:false, yet the bot sends messages to Telegram over the network. This is dangerous because operators and downstream systems may rely on those assurances, causing silent data disclosure and incorrect policy enforcement.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The bot reads a Telegram token from an environment variable or a home-directory .env file under ~/.claude/channels/telegram/.env. While common for integrations, this expands credential access beyond the stated responsibility-layer purpose and increases the blast radius if the skill is installed in a broader agent environment.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The /live diagnostic path spawns a separate Node process to run another script with local inbox data. Even though spawnSync is invoked with fixed arguments rather than shell interpolation, this still grants process-execution capability that is broader than the skill’s advertised safety posture and can increase risk if the called script is modified or unsafe.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module creates directories and writes execution contract data to disk despite the stated skill context claiming to preserve externalWrite:false. This mismatch is security-relevant because it introduces persistent local side effects that callers may not expect, and if WORLDLOOPS_DIR is attacker-controlled, the code can overwrite arbitrary writable files in unintended locations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code writes execution plans to a local JSON file, which directly contradicts the stated 'externalWrite:false' safety posture and creates persistent side effects on disk. Even if intended for benign local state, this persistence can expose sensitive agent planning data, violate user expectations, and create an unauthorized write surface in constrained environments.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The storage directory is derived from the WORLDLOOPS_DIR environment variable without validation, allowing runtime redirection of where the skill reads and writes execution plan data. In isolation this is not arbitrary code execution, but it expands the attack surface by permitting untrusted environment configuration to influence file-system access and persistence location.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises preservation of `externalWrite:false`, but this function performs an outbound POST request to a third-party service and sends `signals` off-box. Even if the returned metadata sets `externalWrite:false`, the code is still transmitting potentially sensitive agent context externally, so the safety claim is misleading and could cause unsafe deployment decisions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function returns `safety.externalWrite:false` after making an external POST containing `signals`, which creates a mismatch between declared safety properties and actual behavior. In an agent ecosystem that relies on this flag for policy enforcement or trust decisions, this can lead to unreviewed exfiltration of prompts, user data, or operational context to `api.worldloops.ai` or an overridden base URL.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The output unconditionally states that no external system changed, even though the same function may report that a local proposal was recorded. While local persistence is not an external write in the narrow sense, this messaging can mislead operators or downstream tooling into believing no state changed at all, reducing audit clarity and masking side effects.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The compact formatter always claims that no email, draft, call, or external change was made, regardless of whether local proposals were recorded earlier in execution. This creates inaccurate security signaling and can cause users or automated consumers to underappreciate that the tool did modify local state.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script tells users 'No external system changed' and presents the run as 'Safe', but the code later persists proposals, receipts, and open-loop state to local storage. Even if external APIs are not modified, local writes are still side effects that can affect privacy, auditing, future agent behavior, and operator trust; the misleading message can cause users to run it under false assumptions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
On the error path, the script again claims 'No external system changed,' which can overstate the absence of side effects in a script that is capable of local persistence. Although this specific catch block likely runs before later writes complete, the blanket safety claim is still misleading and can desensitize operators to actual local state changes or partial processing in future revisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script tells users 'Approval is not execution. No external writes.' even though it persists state by calling saveProposal and saveProposalDecisionReceipt later in execution. This is a misleading safety claim that can cause operators or downstream agents to treat the command as side-effect-free when it actually mutates local durable state.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/scripts/telegramTestBot.js:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/scripts/telegramTestBot.ts:29

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/contractCreate.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/contractList.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/contractReview.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/contractShow.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/doctorMobile.test.cjs:7

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/loopList.test.cjs:16

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/loopReview.test.cjs:16

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/loopShow.test.cjs:40

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/loopSummary.test.cjs:16

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/loopTransition.test.cjs:37

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/planCreate.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/planList.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/planReview.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/planShow.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalCreate.test.cjs:11

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalDecide.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalList.test.cjs:11

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalReceipts.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalReview.test.cjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalShow.test.cjs:11

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/proposalTemplates.test.cjs:15

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/receiptsVerify.test.cjs:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/stateCheck.test.cjs:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/stateRepair.test.cjs:27

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/briefPreferences.test.cjs:13

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/guardAdapter.test.cjs:8

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/guardDaily.test.cjs:8

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/guardHandoff.test.cjs:8