Back to skill

Security audit

Self Improving Agent2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement skill that writes local learning notes and can optionally add reminders, but users should enable its persistent hook and memory features deliberately.

Install this only if you want the agent to keep persistent learning notes. Prefer project-local .learnings files and project-level hooks, inspect scripts before enabling them, avoid global empty-match hooks in sensitive workspaces, and review any summary before promoting it into AGENTS.md, CLAUDE.md, SOUL.md, TOOLS.md, or a new skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document's security section understates what these hooks do. It claims the scripts only output text and do not run commands, yet the documented configuration explicitly executes shell scripts as command hooks and also references an extraction script that creates scaffolding, which can mislead users into over-trusting the setup and granting it broad execution privileges.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The main template asks authors to 'include trigger conditions' but does not enforce concrete boundaries, exclusions, or specificity. In an agent skill system, vague activation criteria can cause over-broad auto-selection of a skill, leading the agent to apply guidance in the wrong context and potentially execute inappropriate commands or workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The minimal template's description guidance is especially permissive and only asks what the skill does and when to use it, without requiring precise conditions or exclusions. Because this repository is for self-improvement skills that may be reviewed before major tasks, an underspecified minimal skill could be activated too often and steer behavior broadly across unrelated sessions.

Vague Triggers

Low
Confidence
88% confidence
Finding
The script-capable template allows executable helpers but does not pair that capability with stricter trigger-specificity requirements. When scripts are involved, accidental over-activation is more dangerous because it can lead to unnecessary or context-inappropriate command execution, even if the template itself is only documentation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using an empty matcher causes the hook to fire on every prompt, creating a broad interception surface for all user inputs. In a self-improvement skill, that means every interaction may trigger script execution and context injection, increasing exposure of sensitive prompt content and making unintended persistence or prompt contamination more likely.

Vague Triggers

High
Confidence
95% confidence
Finding
The user-level configuration installs an always-on hook for all prompts across all projects, greatly expanding scope and persistence. If the script is changed, compromised, or simply too permissive, it can affect unrelated sessions and expose sensitive data from every prompt the user submits.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Although presented as minimal, this setup still triggers on every prompt due to the empty matcher. That broad activation can normalize unnecessary command execution and context injection even when no error-handling or learning capture is needed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example repeats the same broad pattern of executing a command hook on every prompt without trigger limits. This increases the chance of sensitive prompt data being processed by the script in all sessions and makes the behavior harder for users to reason about.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instruction in SOUL.md to 'Avoid unnecessary caveats and disclaimers' can bias an agent toward suppressing important safety, uncertainty, or risk communication. In a security-relevant or high-impact workflow, that can cause the system to omit warnings users need to make informed decisions, especially when combined with injected workspace guidance.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
82% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.