Self-Improvement (LLM Memory)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent self-learning skill, but it persistently records user conversations and can change agent memory or installed skills with too little user control.

Install only if you deliberately want an agent to maintain long-term local memory about your conversations and preferences. Before using it, narrow the triggers, require explicit approval before saving user-derived content or changing core behavior files, add retention and deletion controls, and avoid approving generated skills unless you have reviewed every draft file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Tainted flow: 'src' from os.environ.get (line 305, credential/environment) → shutil.copy2 (file write)

Medium

Category: Data Flow
Content: src = os.path.join(draft_dir, item) dst = os.path.join(dest_dir, item) if os.path.isfile(src): shutil.copy2(src, dst) elif os.path.isdir(src): if os.path.exists(dst): shutil.rmtree(dst)
Confidence: 91% confidence
Finding: shutil.copy2(src, dst)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill advertises broad triggers such as "improve yourself" and "learn from this," which can easily match ordinary conversation and cause the skill to activate without the user intending to enable persistent self-modification or logging behavior. In this skill's context, accidental invocation is more dangerous because activation can lead to memory writes, preference updates, proposal generation, and other lasting state changes.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The auto-detection rules are highly ambiguous and map common conversational patterns like corrections, requests, errors, and knowledge gaps into automatic logging and learning actions. Because these signals are common in normal use, the skill may silently collect user content and create durable records from routine dialogue, increasing privacy risk and enabling unintended behavioral drift.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill defines a persistent multi-layer memory system that stores session summaries, preferences, and retained knowledge, but it does not present a clear user-facing warning or consent model for this collection. In context, this is particularly dangerous because the stored content includes what the user said, inferred preferences, and long-term profiles that can accumulate sensitive personal or organizational information.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The retention policy explicitly says daily logs are kept forever and user preferences are continuously updated, yet there is no corresponding warning, consent checkpoint, or minimization policy. Indefinite retention materially increases the blast radius of accidental collection, future misuse, and disclosure of sensitive conversational history.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The documentation describes automatic session logging and change tracking to memory files without any accompanying privacy, consent, retention, or safety notice. In an agent skill context, this can encourage operators to persist user activity and internal actions by default, which creates privacy and integrity risks if adopted without informed consent and clear boundaries.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script persistently stores conversation-derived memory, learning entries, and related metadata to workspace files automatically, without any consent gate, warning, or data-minimization control. In an agent setting, this can cause sensitive user content, operational details, or internal reasoning artifacts to be retained on disk unexpectedly and later exposed to other tools, users, or processes with workspace access.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The approval flow can overwrite installed files and recursively delete existing destination subdirectories before copying replacements, with no confirmation, allowlist, or validation of draft contents. In an agent skill context, moving untrusted draft artifacts into the active skills directory is especially risky because it can activate attacker-influenced instructions or tooling and destroy existing trusted skill content.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill instructs automatic long-term logging of conversation-derived data, including preferences and user-related information, creating a direct data retention and leakage risk. Even if the intent is productivity, centralizing this information in files increases exposure through local compromise, accidental sharing, backups, or later repurposing beyond the user's expectations.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The session summary instructions say to automatically archive what the user said after each conversation or task, creating systematic capture of user content at scale. This is more dangerous in this skill because the summaries are tied to long-term memory and archival workflows, making incidental sensitive disclosures durable and searchable.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The detection triggers explicitly convert user corrections, requests, and knowledge contributions into logged learning artifacts, which can capture personal, proprietary, or sensitive context embedded in natural language. While framed as self-improvement, this creates a covert persistence channel from ordinary conversation into durable storage without clear boundaries or consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal