Back to skill

Security audit

Self Improving Agent Jarvis

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it encourages broad persistent memory, prompt-file promotion, and cross-session sharing without enough privacy or scoping guardrails.

Install only if you want persistent agent memory for this workspace. Before enabling hooks or promotion workflows, decide where logs may be written, avoid global empty-match hooks, review entries before they are saved or promoted, and require redaction of secrets, personal data, customer data, raw prompts, command arguments, and environment details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description frames the behavior as simple learning capture and review, but the body also instructs automatic hook activation, persistent context injection, and skill extraction/scaffolding. That mismatch can cause operators to approve or invoke the skill under a narrower trust assumption than its actual behavior, increasing the chance of unintended persistence or automation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document states that hook scripts only output text and do not run commands, but the same file configures those scripts as command hooks and references an extraction script that creates scaffolding. This is dangerous because it downplays the execution trust boundary and may cause users to install and run hook scripts with insufficient scrutiny, increasing the chance of unintended code execution or privilege misuse.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The guide expands a narrowly scoped self-improvement skill into writing persistent workspace prompt files such as SOUL.md, TOOLS.md, and AGENTS.md. That creates a durable prompt-injection and policy-modification channel: transient observations or adversarial content can be promoted into long-lived behavioral instructions that influence future sessions beyond the original task.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented ability to inspect transcripts, message other sessions, and spawn sub-agents materially exceeds the stated purpose of capturing learnings. In a prompt-injection setting, these capabilities enable lateral movement across sessions, unintended disclosure of context, and propagation of attacker-influenced instructions into other active or recent conversations.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger guidance is very broad: it covers ordinary errors, corrections, feature requests, better approaches, and recommends review before major tasks. In practice this makes the skill likely to activate frequently and normalize persistent logging of routine interactions, which expands privacy and data-retention exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs the agent to log user corrections, feature requests, command inputs, integration details, and environment context, but provides no warning to avoid secrets, personal data, tokens, customer content, or confidential prompts. That omission makes sensitive-data capture into persistent files an expected outcome rather than an edge case.

Vague Triggers

Medium
Confidence
88% confidence
Finding
An empty matcher on UserPromptSubmit causes the hook to fire for every prompt, creating broad, persistent interception of all interactions in the project. In a self-improvement skill, this increases exposure of prompt contents and makes any future script flaw or prompt-leak behavior more impactful because the hook runs continuously rather than for narrowly scoped events.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using an empty matcher in a user-level global configuration causes the hook to run across all sessions, not just one project. That materially increases risk because sensitive prompts from unrelated repositories or contexts may be exposed to the script, and any buggy or compromised hook becomes a cross-project persistence mechanism.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The minimal setup still uses an empty matcher, so it preserves the broad trigger behavior while presenting it as a lightweight default. This is risky because users may interpret 'minimal' as 'safe' even though it still captures every prompt submission and expands the blast radius of any script-side issue.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Repeating the empty matcher pattern in Codex CLI propagates the same always-on behavior to another toolchain. That broadens the attack surface and normalizes insecure defaults, especially in environments where users may assume hooks are tool-managed rather than arbitrary command execution.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
Telling the agent to avoid caveats and disclaimers reduces safety signaling and can suppress context the user may need to judge uncertainty, limitations, or risk. In combination with persistent prompt injection and self-modification, this makes unsafe behavior less visible and increases the chance that harmful instructions are followed without appropriate qualification.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill encourages persistent logging of conversation-derived learnings and later promotion or sharing, which creates a direct path for natural-language data leakage across time and contexts. Because the content originates from user interactions and operational failures, it may include confidential business details, secrets, or personal information that should not be retained.

Ssd 3

High
Confidence
98% confidence
Finding
The error workflow explicitly asks for command/operation attempted, inputs or parameters, and environment details. Those fields commonly contain API keys, file paths, customer identifiers, internal hostnames, or proprietary operational context, so the template structurally encourages sensitive-data collection.

Ssd 3

High
Confidence
97% confidence
Finding
The learning template requests 'Full context' from what happened and what was wrong, which invites verbatim retention of conversation content and user-supplied details. Persistent storage of such context can leak sensitive instructions, internal project information, or personal data into long-lived markdown files.

Ssd 3

High
Confidence
99% confidence
Finding
The error logging template directs storage of actual error messages, command inputs, parameters, and environment details. Raw stack traces and command lines often expose secrets, infrastructure names, local paths, access patterns, and customer data, so persisting them materially raises leakage risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The feature request template asks for requested capability and user context, which can preserve business intent, roadmap details, or personal circumstances tied to the request. While lower risk than raw error logs, it still creates a standing retention channel for user-provided information without minimization controls.

Ssd 3

High
Confidence
98% confidence
Finding
The promotion workflow moves learnings into CLAUDE.md, AGENTS.md, Copilot instructions, SOUL.md, or TOOLS.md, making previously captured content more durable and more broadly injected into future sessions. This amplifies any earlier sensitive-data mistake by spreading it into persistent agent context and increasing downstream exposure.

Ssd 3

High
Confidence
98% confidence
Finding
The inter-session tooling section explicitly references reading other sessions' transcripts and sending learnings to other sessions. That creates a concrete mechanism for cross-session propagation of conversation-derived data, increasing the blast radius of any sensitive information captured in one session.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
74% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.