Back to skill

Security audit

long-running-agent-harness

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed coding-workflow harness, but it can modify a project, run local scripts, install dependencies, and change git history.

Install only if you want an agentic coding harness that can change a project directory. Use it in a clean clone or branch, inspect init.sh before running it, review git status and diffs before commits, and avoid git checkout . unless you intentionally want to discard local tracked changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes commands that initialize projects, write multiple files, manage progress state, and run development workflows, which implies file-write and shell execution capabilities. Because these capabilities are not explicitly declared in permissions, users and policy controls may not understand the actual authority granted to the skill, increasing the risk of unintended file modification or command execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The diagram explicitly documents that the skill creates and appends project files and performs Git-related operations in the target project, but it provides no warning, consent boundary, or safeguard around modifying user data. In an agent-orchestration skill, normalizing silent writes and repository changes increases the chance that an autonomous agent will alter project state unexpectedly or irreversibly.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The diagram states that the coder prompt starts a development server, but does not mention that this launches a long-running process with possible system and network impact. In the context of an automation skill, undocumented process spawning can consume resources, bind ports, and expose services unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs the agent to write project files, create an executable script, and mutate git state without any warning, confirmation step, or scope limitation. In an agent skill for workflow automation, these actions are likely to be followed operationally and can silently alter a user's workspace or repository in ways the user did not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The sequence directs the agent to run init.sh and perform git stash or revert during normal operation, again without warning about command execution or the potentially destructive effects of rollback operations. In this skill's context, long-running automated agent sessions make such undocumented execution and state changes more dangerous because they can recur across sessions and compound workspace loss or confusion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to read and execute `init.sh` to start servers, but provides no requirement to inspect the script, obtain approval, or warn that it may launch subprocesses, open ports, install dependencies, or mutate the local environment. In an agent skill, this creates a meaningful unsafe-execution risk because repository-controlled scripts are untrusted input and may contain destructive or privilege-sensitive actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt directs the agent to run `git add -A` and `git commit`, which stages all workspace changes and permanently records them in repository history, without any disclosure or scoped review step. In an automated agent workflow, this can capture unrelated, sensitive, or unintended modifications, making the repository itself the persistence channel for accidental data exposure or destructive state changes.

Missing User Warnings

High
Confidence
99% confidence
Finding
Recommending `git checkout .` as a generic recovery step is dangerous because it irreversibly discards uncommitted changes in the working tree, yet the prompt gives no warning about data loss. In a long-running agent context, this is especially risky because agents may overwrite or destroy user work, prior agent output, or partially completed fixes while attempting to recover from being stuck.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt instructs the agent to create files, initialize a git repository, install dependencies, and execute shell-based setup without requiring any user confirmation or warning about these side effects. In an agentic environment, this can lead to unintended modification of the user's workspace or repository state, especially if the project description is ambiguous or the agent is pointed at an existing directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.