ClawHub

1215656 Self Improving Agent@3.0.6

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent and purpose-aligned, but it needs review because it encourages broad persistent logging, cross-session sharing, and promotion into future agent instructions without enough privacy safeguards.

Install only if you intentionally want persistent agent learning. Keep .learnings private or gitignored unless you explicitly want team sharing, review every promotion into agent memory or instruction files, and avoid logging secrets, credentials, personal data, raw transcripts, proprietary code, or unredacted command/API output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that the hook scripts 'only output text' and 'don't modify files or run commands', but the same guide configures them as command hooks and references an extract script that creates skill scaffolding. That mismatch can mislead operators into granting trust or broad deployment to code that executes in their agent context, reducing scrutiny of what those scripts actually do.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using an empty matcher causes the hook to run on every prompt, creating a catch-all trigger with no scope limitation. In an agent environment, broad automatic invocation increases the chance of prompt-context pollution, excessive data exposure to the hook process, and accidental execution in sensitive workflows where the feature was not intended.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The user-level configuration installs a global hook with an empty matcher, so it will execute across all sessions and repositories. This significantly expands blast radius: any bug, unexpected side effect, or future script change affects all workspaces, including potentially sensitive or unrelated projects.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The 'minimal setup' still uses an empty matcher, so reduced overhead does not reduce activation scope. Users may believe this is a safer configuration when it still triggers on every prompt, preserving the same overbroad execution pattern and associated privacy and integrity risks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The Codex CLI setup repeats the same catch-all empty matcher pattern without exclusions or specificity. Because this is presented as copy-paste setup guidance, it normalizes broad automatic execution in another agent ecosystem, increasing the likelihood of unsafe deployment.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages sharing learnings across sessions using transcript-reading and message-sending features, which can propagate sensitive user data beyond its original context. Because the content is natural-language and durable, secrets, proprietary information, or personal data may be copied into other sessions without minimization or consent.

Ssd 3

Medium
Confidence
97% confidence
Finding
The logging templates instruct the agent to persist user corrections, inputs, parameters, context, and error details into markdown files, which can easily capture credentials, tokens, internal paths, or personal information in plain text. Persistent local storage also increases the chance that later agents or users access data that was never meant to be retained.

Ssd 3

Medium
Confidence
96% confidence
Finding
Promotion guidance tells the agent to elevate learned content into persistent context files like CLAUDE.md, AGENTS.md, SOUL.md, and TOOLS.md, which can cause sensitive conversational details to become part of future prompt context. Once promoted, private or proprietary information may be repeatedly surfaced across sessions, amplifying exposure and making cleanup difficult.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal