Back to skill

Security audit

Self Learning Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it gives an AI-powered memory updater broad access to conversations and persistent agent files with weak review controls.

Review carefully before installing. Use only in workspaces where conversation history and memory files are safe to analyze and persist, run --dry-run first, inspect diffs manually, avoid storing secrets or personal data in agent memory, and prefer passing an explicit --workspace path instead of relying on automatic detection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill declares `SessionsSend`, which enables sending messages into sessions, but the stated purpose is local memory/config analysis and update. That extra capability expands the attack surface: a compromised or poorly designed skill could inject prompts, manipulate ongoing sessions, or exfiltrate summarized history indirectly via messages.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The documentation claims deletion requires confirmation, but the skill is also presented as automated and self-running, with no manifest-level or interaction-level confirmation control described. This mismatch can cause users to trust protections that may not actually exist, leading to unintended deletion of memory or project files.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The promotion feature accepts an arbitrary target_file and writes to workspace / target_file with no allowlist or scope restriction. In a self-learning skill whose stated role is updating memory/learning records, this enables mutation of unrelated project files and increases the risk of unauthorized persistence, configuration tampering, or corruption of source/docs if upstream inputs are influenced by conversation content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workspace auto-detection logic reads external OpenClaw session state and a global /root/.openclaw/openclaw.json file, allowing this skill to infer and operate on agent workspaces beyond the explicitly provided path. In a self-learning tool that later reads, modifies, and persists files, this broadens access scope and can cause unintended cross-workspace data exposure or modification.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The AI prompt explicitly tells the model to identify and persist sensitive values such as API keys, tokens, channel IDs, and configuration secrets into long-term memory/config files. This is dangerous because transient secrets mentioned in conversation can be copied into durable plaintext files, increasing exposure, reuse risk, and downstream leakage through backups, logs, or version control.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises automatic retrieval of recent conversation history and automatic updates/deletions to core memory/configuration files, but does not clearly warn about privacy implications, destructive changes, or the need for explicit operator review. In a self-learning skill, this is dangerous because the tool's purpose is to persist and modify agent state, so unsafe defaults can lead to unintended disclosure of sensitive dialogue content and silent corruption of long-lived memory files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples present direct execution of the update script before emphasizing preview mode, which normalizes immediate writes to workspace files without first reviewing what will change. Because this skill edits persistent agent memory/configuration, encouraging write mode first increases the chance of accidental destructive updates or persistence of sensitive/incorrect information.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list is very broad, covering common concepts like memory updates, optimization, and growth, without boundaries or exclusions. In practice this increases the chance of accidental invocation in unrelated contexts, causing unintended analysis of conversation history and writes to persistent files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description understates the sensitivity of the behavior: the skill analyzes conversation history and automatically updates memory/config files and learning logs. Without a prominent warning and consent model, users may disclose information expecting ephemeral use while the skill persists it to disk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes a destructive uninstall command using `rm -rf` without any warning, confirmation step, or note about verifying the target path first. While the specific path is scoped to the hook directory rather than a broad system location, unsafe copy-paste shell guidance can still cause accidental data loss if users modify or misread the command.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code creates directories and writes template files automatically without any confirmation at the write sites. In an agentic self-learning context, silent filesystem mutation can create persistent state unexpectedly and may be triggered as part of broader automated workflows, reducing user visibility into what the agent changed.

Missing User Warnings

High
Confidence
94% confidence
Finding
promote_to_file reads and then overwrites the target project file with modified content, and only warns if the file does not exist. Because the target path is caller-controlled and the skill is designed for autonomous memory/config updates, this creates a strong risk of silent tampering with important repository files and persistent prompt/config poisoning.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script sends conversation history and the contents of multiple workspace files to an AI analysis call without any user-facing notice, consent step, or minimization controls. This can exfiltrate sensitive user data, internal notes, identities, operational details, and secrets to an external model/service simply by running the skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script directly overwrites workspace markdown files using AI-generated operations with no approval gate, diff review, or effective rollback enforcement. Because the update plan is model-produced and based on untrusted conversational input, this creates a path for prompt-influenced destructive or misleading persistence into core agent memory files.

Ssd 3

Medium
Confidence
94% confidence
Finding
The README describes persistent collection of conversation history, user corrections, errors, and feature requests into project files and learning records. This creates a real privacy and data-retention risk because natural-language conversations often contain credentials, personal data, proprietary prompts, or operational details that may be stored indefinitely in plaintext and later exposed through the repository or workspace.

Ssd 3

Medium
Confidence
88% confidence
Finding
Promoting detailed execution logs and history retention is risky in a tool that processes conversation history and user corrections, because logs often become secondary stores of sensitive content. In this context, the skill is more dangerous than a typical logger because it is specifically designed to ingest and persist human dialogue and agent memory updates, increasing the likelihood of sensitive data capture.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented execution flow includes retrieving the past 24 hours of conversation history and saving execution history as standard behavior, which materially increases the attack surface for privacy leakage and over-collection. In a self-learning/memory-management skill, this is especially sensitive because the entire purpose is to transform ephemeral dialogue into durable records, making accidental capture of confidential information more likely and more persistent.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill is explicitly designed to analyze conversation history and persist extracted information into memory and configuration files. That creates a substantial data retention risk: sensitive user content, credentials, internal project details, or personal preferences may be stored long-term in plaintext files beyond the original conversational context.

Ssd 3

Medium
Confidence
92% confidence
Finding
Automatic logging of corrections, errors, feature requests, and execution history derived from user interactions encourages broad capture of semantically sensitive content. Such logs can accumulate confidential prompts, operational failures, environment details, or business requests that were never intended for durable storage.

Ssd 3

Medium
Confidence
95% confidence
Finding
Hooking `onPromptSubmit` and session-start behavior to monitor prompts and history creates continuous, background-style collection pressure. In this context, that makes the skill more dangerous because it can persist user content opportunistically and repeatedly, without a fresh, context-specific consent moment for each capture.

Ssd 3

High
Confidence
99% confidence
Finding
The prompt instructs the AI to mine prior conversations for new secrets or sensitive configuration values and write them into persistent files. In context, this skill is specifically designed for memory retention and history recording, so encouraging secret extraction makes the data-retention threat more severe by systematically converting ephemeral sensitive content into long-lived plaintext artifacts.

Ssd 4

Medium
Confidence
87% confidence
Finding
The workflow chains together history collection, AI analysis, and persistence into memory/history files, creating an automated retention pipeline for potentially sensitive conversation content. This is especially risky in a self-learning skill because the advertised purpose normalizes broad collection and long-term storage, increasing privacy exposure and making accidental retention of sensitive data likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
hooks/openclaw/HOOK.md:67