loki-mode

The narration describes a high-autonomy software supply-chain workflow that could expedite development but introduces substantial governance and security risks if implemented as-is. While no malware or hardcoded secrets are evident in the text, the dangerous-permissions flag and fully autonomous lifecycle pose non-trivial risks to provenance, audits, and control planes. Recommended mitigations include enforcing explicit human-in-the-loop checks for critical steps, removing or constraining dangerous flags, implementing robust provenance and audit trails, and ensuring memory/state data is tamper-evident and reviewable before shipping.

This workflow is not overtly malicious (no backdoor, remote shell, or obfuscated malware patterns). However, it poses a moderate-to-high data leakage and integrity risk: it sends wiki page contents to a third-party AI service (Anthropic) and writes model output back into the wiki without adequate redaction or validation. That behavior can leak proprietary or sensitive information and can introduce incorrect or malicious content into project documentation. If you need this functionality, consider sanitizing/redacting sensitive data before sending, restricting which pages are sent, adding human review before committing AI-generated content, and auditing stored logs and API access.

SUSPICIOUS. The skill's capabilities mostly match its stated purpose, and the install provenance appears same-org/official, so this is not confirmed malware. However, it is a high-risk autonomy skill: it explicitly requires skipped permissions, forbids asking for confirmation, enables code execution/commits/deployment, and supports optional prompt injection into an agent with broad write/exec powers.

SUSPICIOUS: the skill’s behavior matches its stated purpose, but that purpose is itself high-risk because it launches a background autonomous coding agent, skips confirmations, and relies on a third-party CLI that uses provider API keys. The install path appears plausibly official rather than overtly malicious, so this is better classified as a high-risk autonomous/credential-forwarding skill than confirmed malware.