Is codewithnathan97/kilocli-coding-agent safe?

https://github.com/openclaw/skills/tree/main/skills/codewithnathan97/kilocli-coding-agent

78
CAUTION

The kilocli-coding-agent skill is a pure-markdown orchestration layer that introduces significant indirect risk through its operational model: it requires a high-privilege GITHUB_TOKEN, instructs autonomous --full-auto Kilo CLI execution that bypasses user confirmation, prescribes global installation of a third-party npm package, and spawns persistent tmux-backed sub-agent sessions. The skill itself contains no malicious code and its clone behavior was clean, but it creates a nested-agent trust problem where an independently operating Kilo CLI LLM runs with write access to all user repositories. All canary files were accessed during monitoring but the integrity check reports them unmodified, with reads attributed to the oathe audit framework and SSH PAM subsystem rather than skill behavior.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 78/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (11)

HIGH Autonomous agent execution bypasses user confirmation -18

SKILL.md explicitly instructs use of 'kilo run --auto' (the --full-auto flag), which causes Kilo CLI to auto-approve all code writes, file modifications, and command executions it performs. This removes the human-in-the-loop confirmation step that would normally allow users to reject dangerous operations before they occur.

HIGH Instructs global installation of unverified third-party npm package -12

SKILL.md requires users to globally install '@kilocode/cli' from npm with no checksum, signature, or integrity verification. A compromised or malicious package version would execute arbitrary code with user privileges at install time and on every subsequent run.

HIGH Requires high-privilege GitHub token with write access -15

claw.json declares a required GITHUB_TOKEN with 'repo and actions:write permissions'. This grants the skill (and any Kilo CLI sub-process it spawns) write access to all user repositories. An autonomous Kilo CLI session running with this token could exfiltrate data via git push, GitHub API calls, gist creation, or PR comments without additional authorization.

MEDIUM PR comment posting creates data exfiltration channel -10

The batch PR review workflow instructs the agent to capture Kilo CLI output and post it directly to GitHub via 'gh pr comment'. Any sensitive data encountered during file traversal or code review (secrets in source, API keys, private business logic) could be exfiltrated to public or semi-public GitHub comments using this legitimate-looking workflow step.

MEDIUM --full-auto mode instruction removes user approval gate -10

SKILL.md codifies bypassing user confirmation as a rule (Rule 4), normalizing autonomous operation for the agent consuming this skill. This instruction, when injected into an agent's system prompt, reframes dangerous autonomous behavior as the expected and correct mode of operation.

MEDIUM Nested AI agent introduces independent trust boundary -20

The skill deploys Kilo CLI as a sub-agent with its own LLM, system prompt, and tool access. This nested agent operates independently of the parent agent's safety constraints. Malicious content in a repository being reviewed (a poisoned README, crafted commit message, or injected diff) could manipulate Kilo CLI's behavior without the parent agent detecting it.

LOW Persistent tmux sessions outlive agent session -8

The skill creates tmux sessions attached to Unix sockets in /tmp that persist independently of the parent agent session. These long-running sessions retain full shell access and can continue executing commands after the parent OpenClaw session ends, functioning as persistent background processes.

LOW PR review workflow susceptible to prompt injection from PR content -12

The skill instructs agents to pass PR diff content directly as Kilo CLI commands (e.g., 'Review PR #86. git diff origin/main...origin/pr/86'). Malicious content embedded in PR titles, descriptions, or diffs could inject instructions into the Kilo CLI agent's context, potentially causing it to take unauthorized actions using the GITHUB_TOKEN.

LOW Skill encodes internal host directory structure knowledge -8

SKILL.md contains specific warnings about '/openclaw/', '/Projects/openclaw/', and references to 'soul docs' — demonstrating that the skill author has enumerated sensitive internal directories on the target host. While framed as safety warnings, this knowledge could guide targeted path traversal if the skill were weaponized.

LOW Pre-existing outbound TLS connection to Ubuntu infrastructure -5

A connection to 185.125.188.59:443 (Canonical/Ubuntu) was present in the BEFORE snapshot, indicating pre-existing background system activity. While not attributable to the skill, this demonstrates background network activity in the monitoring environment that could obscure skill-initiated connections.

LOW All six canary credential files accessed during monitoring window -22

Filesystem monitoring recorded OPEN and ACCESS events for all six canary files at two distinct timestamps: 1771935955 (pre-clone, consistent with audit framework baseline) and 1771935979 (post-install, consistent with SSH PAM authentication). The oathe canary integrity check confirms no modifications. Process attribution to the audit framework is circumstantial — the SYSCALL records linking these accesses to specific PIDs were not fully included in the evidence set.