mx-auto

The skill bundle is designed to manage and execute automation triggers but contains high-risk behaviors, specifically the automated discovery and reading of administrative tokens from the local filesystem (e.g., 'runtime/admin-token.json') and environment variables (MX_APP_RUNTIME_ADMIN_TOKEN). While these capabilities are plausibly required for the stated purpose of RPA integration, the automated credential harvesting and the inclusion of a cloud dispatching script (cloud_dispatch_loop.sh)—even if currently marked as reserved—represent a significant security surface. Additionally, the logic in scripts/run.sh and scripts/local_dispatch_loop.sh could be vulnerable to token exfiltration if an agent is manipulated into using an attacker-controlled base URL.