Back to skill

Security audit

External Autopoiesis

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it asks an agent to build long-lived memories, profiles, and scheduled self-modification with weak privacy and control boundaries.

Install only if you deliberately want a persistent agent-identity system. Keep its memory in a dedicated folder, disable cron and heartbeat automation until explicitly configured, avoid raw conversation archives and relationship profiles by default, never store credentials or sensitive personal data, and set clear review, deletion, and redaction rules before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list is unusually broad and includes generic phrases like "set up identity," "persistent AI," and "memory architecture," which can cause the skill to activate in contexts far beyond its intended use. Overbroad invocation increases the chance that sensitive persistence, logging, or identity-shaping behaviors are introduced into unrelated workflows without the user clearly intending that outcome.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The protocol is framed as a recurring, automated self-evolution loop with broad applicability and little operational scoping, which can cause it to run in contexts where persistent memory creation and introspective modification are inappropriate. In a security context, vague invocation criteria increase the chance of unauthorized data access, uncontrolled persistence, and behavior drift because the agent is encouraged to continuously ingest prior activity and modify its own process.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron instructions explicitly tell the agent to read session logs, daily notes, and error logs without any privacy classification, consent check, minimization rule, or secret-handling boundary. That creates a real risk of collecting sensitive user content, credentials, internal prompts, or operational data and reprocessing it into a persistent archive.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly promotes persistent storage of conversation logs, working notes, and relationship profiles, creating a durable record of user interactions and inferred personal data. This is dangerous because it encourages collection and retention without any data minimization, consent, access control, retention limit, or redaction guidance, making privacy leakage and unauthorized reuse more likely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The guidance to append daily notes and "write important events immediately" encourages broad write-through of live session content into persistent storage. In practice, this pattern can capture credentials, personal data, confidential prompts, or sensitive business context before any review or classification occurs, expanding the blast radius of a single conversation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instructions to preserve relationship histories, profiles, and continuity across engine swaps materially increase privacy and profiling risk. This is especially dangerous because the skill frames person-specific memory as a core capability, which normalizes long-term retention and replay of information about people across sessions and even across model migrations.

Ssd 3

Medium
Confidence
98% confidence
Finding
The rule "If it matters, write it to a file immediately" is an unsafe blanket persistence instruction that overrides context-sensitive judgment. In a security context, this can cause the system to persist exactly the kinds of high-risk data that should remain ephemeral or be excluded entirely, such as secrets, internal reasoning artifacts, customer data, or confidential operational state.

Ssd 3

Medium
Confidence
94% confidence
Finding
The document instructs the agent to mine recent sessions, corrections, and interactions as raw material for future cycles, which turns transient conversational and operational data into durable memory artifacts. This creates a natural-language retention pipeline that can expose private information across sessions and expand the blast radius of any later disclosure or compromise.

Ssd 3

Medium
Confidence
97% confidence
Finding
The archive design requires a single continuously appended file and explicitly forbids overwriting prior entries, creating an ever-growing permanent record of derived session content. In this skill's context, that persistence is especially dangerous because it is central to the identity system, making data accumulation and replay not incidental but a core behavior.

Ssd 3

Medium
Confidence
98% confidence
Finding
The scheduled workflow operationalizes a full data-ingestion-and-persistence loop: read logs and notes, derive content, and append it forever. Because the skill is explicitly about building persistent identity around a stateless model, this makes the retention and disclosure risk more severe by normalizing autonomous cross-session memory construction from potentially sensitive sources.

Ssd 3

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs operators to create persistent daily memory files containing important events, decisions, corrections, and relationship status across sessions. In a system wrapping an LLM, this can capture sensitive user data, full interaction context, and behavioral history without minimization, retention limits, or consent controls, creating privacy and data-governance risk if those files are later reloaded, leaked, or reused inappropriately.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.