Self Evolving Skill 1.0.2

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for local self-learning, but it persists and mutates skill state with inconsistent paths, missing runtime components, and limited user control disclosures.

Install only if you are comfortable with a local learning tool that may store and reuse task context. Use a non-sensitive test workspace first, set an explicit storage directory, verify the missing Python core/MCP server before enabling server mode, and require manual review before executing, saving, loading, or clearing learned skill state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documentation indicates environment/code capabilities and local installation behavior, but the manifest does not declare permissions. This creates a transparency and trust problem: users and host platforms cannot accurately assess what the skill can access before installation or execution. In a self-evolving skill that also persists state and launches local components, undeclared capabilities increase the risk of unintended access to local resources.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose emphasizes benign self-learning behavior, but the described behavior includes local installation, directory/link creation, server spawning, localhost requests, persistence, and management operations that materially expand the attack surface. This mismatch is dangerous because users may approve the skill under false assumptions, while the actual behavior enables filesystem modification, background services, and misleading simulated outputs. The 'self-evolving' context makes this more dangerous, not less, because autonomous mutation/persistence reduces predictability and oversight.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code mutates the process environment to force a hard-coded local storage path under a specific user's home directory. This can cause unintended reads/writes to sensitive local paths, break isolation assumptions, and make the adapter operate on data outside the caller's intended workspace, especially in shared or agent-executed environments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation advertises a destructive `skill_clear` capability that wipes all data and cache, but provides no warning, confirmation requirement, backup guidance, or recovery note. In an agent-integrated skill with persistent storage, this increases the likelihood of accidental or scripted data loss by users or higher-level automation.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation description is broad and unconstrained, which can cause the skill to be selected in situations beyond the user's intent. For a self-modifying or self-learning skill, vague activation criteria are especially risky because unnecessary invocation can trigger persistence, analysis, or mutation workflows on unrelated tasks or data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation states that experience is automatically saved/loaded, but it does not warn users about what data is stored, where it is stored, or retention implications. Automatic persistence in a learning system can silently accumulate sensitive prompts, embeddings, task context, or operational history, creating privacy and security exposure if the storage is later accessed or reused.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The adapter performs persistence operations that write skill objects and embeddings to disk without any explicit confirmation, disclosure, or visible audit messaging to the caller beyond a success response. In an agent context, silent local writes can create privacy and integrity risks by storing user-derived data unexpectedly and making later tampering or data retention issues harder to detect.

Session Persistence

Medium

Category: Rogue Agent
Content: openclaw skill self-evolving-skill list # 创建Skill openclaw skill self-evolving-skill create --name "MySkill" # 执行 openclaw skill self-evolving-skill execute <id> --success
Confidence: 84% confidence
Finding: create --name "MySkill" # 执行 openclaw skill self-evolving-skill execute <id> --success # 分析 openclaw skill self-evolving-skill analyze --embedding '[0.1,0.2,...]' # 统计 openclaw skill self-evolving-

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal