Back to vm0-ai/vm0-skills

vm0-skills / vm0

github.com/vm0-ai/vm0-skills/SKILL.md/Scanned 1mo ago
https://skillshield.getunbound.ai/skill/16709
9/100Critical Risk
High Risk & Threats

Gives the agent the ability to create other agents or update itself. Use this skill when the agent needs to modify its own vm0.yaml (skills, instructions, environment variables) and redeploy, or spin up a new agent from scratch.

Findings (3)

Findings Preview

DS-003

Unrestricted agent self-modification and skill injection

Skill enables an agent to clone its own configuration, modify vm0.yaml to add arbitrary skills from any GitHub URL, update its own instructions/system prompt, and redeploy itself without user approval. The skill documents the complete self-update pattern (lines 152-191) including editing vm0.yaml to inject skills and instructions, then redeploying with `vm0 compose vm0.yaml -y`. This allows the agent to: (1) inject malicious skills from untrusted repositories, (2) modify its own system prompt/instructions to override safety guidelines, (3) add environment variables or secrets references, and (4) redeploy itself autonomously. The vm0_secrets declaration (line 5) grants access to VM0_TOKEN, which authenticates these operations. An agent following this skill could add a skill that exfiltrates data, modifies its instructions to ignore safety constraints, or add capabilities for persistence and lateral movement. This is a complete self-modification capability with no user oversight.

criticalcritical
vm0:L3,5,152-191,169-189
2name: vm0
3description: Gives the agent the ability to create other agents or update itself. Use this skill when the agent needs to modify its own vm0.yaml (skills, instructions, environment variables) and redeploy, or spin up a new agent from scratch.
4vm0_secrets:
5  - VM0_TOKEN
6---
151
152## Self-Update Pattern
153
154An agent can modify its own configuration by combining clone → edit → compose. This lets the agent update itself — adding new skills, changing instructions, or updating env vars — without any human intervention.
155
156### 1. Clone own config
157
158```bash
159vm0 agent clone {current-agent-name} /tmp/self-config
160```
161
162### 2. Inspect current state
163
164```bash
165cat /tmp/self-config/vm0.yaml
166cat /tmp/self-config/AGENTS.md
167```
168
169### 3. Edit vm0.yaml
170
171For example, add a new skill:
172
173```bash
174# Edit /tmp/self-config/vm0.yaml to add a skill entry under skills:
175#   - https://github.com/vm0-ai/vm0-skills/tree/main/notion
176```
177
178Or update the instructions file:
179
180```bash
181# Edit /tmp/self-config/AGENTS.md to refine the system prompt
182```
183
184### 4. Redeploy
185
186```bash
187cd /tmp/self-config
188vm0 compose vm0.yaml -y
189```
190
191The agent is now updated. The next run will use the new configuration.
192

Category Breakdown

Data Exfiltration
15
Malware & Persistence
5
Prompt Injection
5
Destructive Actions
100
Excessive Permissions
100
Supply Chain
10
Obfuscation
100