ClawHub

Cpppselfimprovingagent123123

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is not malicious, but it should be reviewed because it can store raw errors, user corrections, and agent behavior rules in persistent files without clear redaction or approval controls.

Install only if you want durable agent learning across sessions. Keep hooks project-scoped, avoid global empty-matcher setups, require confirmation before writing or promoting learnings, and redact secrets, tokens, personal data, customer details, proprietary content, raw environment data, and full command output before anything is saved or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document’s security section materially misrepresents the behavior of the configured hooks. The examples explicitly define hooks of type "command", which invoke shell scripts, so claiming they only output text and do not run commands can cause operators to underestimate execution risk and enable the feature in unsafe environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to persist user corrections, failures, and context into local files without instructing it to avoid secrets, personal data, tokens, or proprietary content. That creates a realistic data-handling vulnerability because routine interactions can be written into durable storage and later reused or exposed unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The inter-session communication section normalizes reading and sending transcript content across sessions without warning about confidentiality boundaries or limiting what may be shared. This increases the chance that sensitive user content from one session is propagated into another context where it is not needed or expected.

Vague Triggers

Medium
Confidence
92% confidence
Finding
An empty matcher causes the UserPromptSubmit hook to trigger on every prompt, creating an always-on execution path. In a self-improvement skill, that broad scope increases exposure to prompt-driven persistence, unnecessary command execution, and accidental processing of sensitive or irrelevant contexts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The user-level configuration installs the hook globally in ~/.claude/settings.json while still using an empty matcher, making the trigger apply across all sessions and projects. That persistence and breadth magnify the chance of unintended execution in sensitive repositories or contexts where the skill should never run.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Although labeled as minimal setup, this example still uses an empty matcher and therefore executes on every prompt. Reduced overhead does not reduce the security concern: the hook remains universally triggered and can create broad, unnecessary execution and context exposure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Codex configuration repeats the same overly broad pattern by using an empty matcher with command execution hooks. Reproducing this as a cross-tool setup increases the blast radius by normalizing unsafe default triggering behavior in multiple agent environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation directs the system to write learnings to persistent files but does not warn against storing secrets, personal data, or sensitive user content. In a self-improvement context, failures and corrections can easily contain credentials, proprietary data, or private conversation details, making silent persistence a real privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents cross-session transcript access and messaging without any privacy, authorization, or data-minimization warning. In this skill's context, learnings may include error details and user corrections, so encouraging transcript reading and message passing across sessions can spread sensitive information beyond the original interaction scope.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persistent transcript sharing across sessions is dangerous because it can spread sensitive information beyond its original scope and defeat users' expectations of contextual isolation. If one session handled credentials, internal code, or private business context, reusing or forwarding that material can create cross-task and cross-user data leakage pathways.

Ssd 3

Medium
Confidence
95% confidence
Finding
The prescribed logging formats explicitly request full context, inputs, parameters, error output, and user context, which commonly contain secrets, personal data, internal paths, tokens, and proprietary material. Because this data is stored persistently, accidental collection can become a durable confidentiality exposure and a source of later prompt or memory contamination.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instruction to 'promote aggressively' into persistent memory files increases the chance that transient, user-specific, or sensitive information is elevated into long-lived agent context. Once promoted, that information may influence future sessions and be harder to discover, correct, or delete, amplifying confidentiality and retention risks.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal