ClawHub

Chen Self Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it gives agents broad persistent memory and cross-session context-sharing patterns without enough privacy and approval guardrails.

Install only if you intentionally want durable agent memory. Keep hooks project-scoped, avoid global always-on hook configuration unless you have reviewed the scripts, and require manual review before anything is written to AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, MEMORY.md, Copilot instructions, or shared across sessions. Do not store secrets, credentials, private transcripts, personal data, customer data, or raw command output in the learning files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document's security section is misleading: it states the scripts only output text and do not run commands, yet the hook configuration explicitly executes shell scripts via a command hook. This can cause users to underestimate the trust boundary and deploy executable hooks with the agent's privileges, increasing the risk of unintended code execution from modified or substituted scripts.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using an empty matcher causes the hook to fire on every prompt, creating an always-on execution path with no scoping constraints. In this skill context, that broad trigger increases exposure to prompt-driven persistence and makes any future change to the hooked script immediately affect all sessions and prompts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The user-level configuration installs a global always-on hook in the home directory, causing persistent execution across all projects and sessions. This broad scope makes the behavior more dangerous because it extends beyond a single repository and can silently affect unrelated work if the script or its path is altered.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The Codex example also uses an empty matcher, which leaves the trigger overbroad and causes command execution on every prompt. Because this pattern is presented as standard setup, users may adopt persistent automatic execution without understanding the operational and security implications.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The document encourages persisting learnings into workspace and skill files, but it does not include guardrails against storing secrets, personal data, tokens, or other sensitive session content. In a self-improvement/memory skill, that omission creates a realistic risk of sensitive data being retained long-term in local prompt-injection files that may later be reloaded into future sessions.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill encourages persistent storage of learnings, errors, and corrections and later promotion into broader memory files, but it provides no meaningful data-minimization, redaction, or consent rules. That creates a realistic risk of retaining sensitive user prompts, secrets, environment details, or proprietary context in plaintext and propagating them beyond the original task.

Ssd 3

High
Confidence
96% confidence
Finding
The skill explicitly presents cross-session transcript access and messaging as a mechanism for sharing learnings, which opens a semantic exfiltration path between sessions. If one session contains sensitive user data, another agent or session could retrieve or forward it under the guise of 'learning propagation' without proper authorization boundaries.

Ssd 3

Medium
Confidence
95% confidence
Finding
The logging templates ask for full context, inputs, parameters, environment details, error output, and user context, all of which commonly contain secrets or confidential information. Storing these verbatim in markdown files creates an easy, durable leakage channel through local files, repos, backups, or later prompt injection into future sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal