ClawHub

Self Improving Agent Cn.Skip

Security checks across malware telemetry and agentic risk

Overview

This is a local memory helper, but it asks the agent to automatically persist user corrections, modify instruction files, and potentially retry with sudo without clear approval steps.

Install only if you deliberately want persistent agent memory that can affect future behavior. Before using it, require confirmation for any saved memory, disable automatic writes to AGENTS.md, MEMORY.md, .learnings, git backups, and never allow stored memories to trigger sudo or privileged commands without an explicit review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a memory/logging helper, but its documented behavior extends to modifying AGENTS.md, MEMORY.md, and project directories for synchronization. That expands scope from passive logging to active instruction and repository mutation, which can create unauthorized persistence, cross-project contamination, and hard-to-detect changes in agent behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation says failures are automatically recorded, but later examples imply those records will drive future automatic command changes. This mismatch is dangerous because users may believe the skill is only logging events when it is actually influencing execution behavior, including altering commands based on prior errors.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow explicitly says the skill may automatically switch to sudo after a prior failure. Automatic privilege escalation based on remembered errors is dangerous because it can transform routine command retries into high-impact system changes without adequate review, making accidental or malicious persistence far more severe.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases for automatic recording are broad, conversational, and likely to appear in normal discussion. This can cause over-collection of user statements, mistaken persistence of transient remarks, and poisoning of the memory store with ambiguous or adversarial natural-language inputs.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description does not clearly warn that user corrections and preferences may be stored across projects and propagated into shared instruction files. This lack of transparency is dangerous because users may disclose preferences, workflow details, or sensitive context expecting session-local use, while the skill persists and republishes them much more broadly.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatically retaining user corrections and preferences in persistent files creates a data retention and disclosure risk, especially when those statements may contain project details, policies, or personal preferences. Because the data is stored for reuse across sessions, accidental leakage or inappropriate replay into unrelated contexts becomes more likely.

Ssd 3

Medium
Confidence
96% confidence
Finding
Synchronizing important memories into global and project documentation files broadens exposure far beyond the original interaction. Information captured from one project or user session can be disclosed in another project or to collaborators who read shared files, creating cross-context leakage and persistent contamination of instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal