ClawHub

hermes-agent 平替 openclaw 自进化技能

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement skill, but it can persist memories, alter generated skills, run checks, fetch upstream data, and encourages GitHub publishing without clear consent boundaries.

Install only if you intentionally want persistent agent memory and self-improvement files. Keep secrets, credentials, private prompts, and sensitive personal data out of its memory; require manual approval before generated skills become active, before any scheduled checks are enabled, and before any git commit or push. Periodically inspect and prune ~/self-improving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True, text=True
        )
    elif cmd in ["eval", "improve"]:
        result = subprocess.run(
            ["python3", str(SCRIPT_DIR / "skill_evaluator.py")] + [f"--{cmd}", args[0]],
            capture_output=True, text=True
        )
Confidence
67% confidence
Finding
result = subprocess.run( ["python3", str(SCRIPT_DIR / "skill_evaluator.py")] + [f"--{cmd}", args[0]], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True, text=True
        )
    elif cmd == "check":
        result = subprocess.run(
            ["bash", str(SCRIPT_DIR / "self_check_cron.sh")],
            capture_output=True, text=True
        )
Confidence
84% confidence
Finding
result = subprocess.run( ["bash", str(SCRIPT_DIR / "self_check_cron.sh")], capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of file read/write, shell execution, scheduled tasks, and network access, yet declares no explicit permissions or user-consent boundaries. In a self-modifying, auto-persisting skill, this lack of permission scoping is dangerous because users and hosting agents cannot reliably constrain actions such as local data changes, cron-driven execution, GitHub sync, or upstream fetching.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The README explicitly instructs that every self-evolution change must be committed and pushed to GitHub. For a self-modifying skill, this normalizes automatic repository synchronization and can exfiltrate locally generated content, prompts, memory-derived artifacts, or sensitive workspace data to a remote service without clear consent boundaries. In this context, the self-evolving nature of the skill makes the behavior more dangerous because code and docs may be altered autonomously and then published upstream.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The entrypoint exposes an upstream-tracking execution path that extends beyond simple memory and skill management, increasing the tool's operational reach. In a self-evolution context, functionality that fetches, compares, or fuses upstream changes can become a supply-chain or unintended-code-ingestion risk if not tightly constrained.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
Running a shell-based self-check introduces general shell-execution capability that is broader than the stated skill purpose and can be leveraged for unintended system interaction. In a self-improving agent skill, this is more dangerous because maintenance hooks can be repurposed as privileged execution paths or persistence mechanisms.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises self-learning, automatic skill creation, memory management, and hourly self-checks but does not warn that these features may persist data, modify files, or trigger recurring automated actions. Users may enable the skill without understanding its operational footprint, which can lead to unexpected state changes, privacy issues, or ongoing background activity. The autonomous-agent context increases risk because these capabilities imply durable and potentially self-directed behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start commands instruct users to add memories and run a full self-check without disclosing that these actions may write persistent state or initiate automated checks. This is risky because users are encouraged to execute commands immediately, before understanding storage, retention, or automation side effects. In a skill centered on memory and self-improvement, such omissions materially increase the chance of unintended persistence and system-impacting behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger set includes broad phrases such as '自进化', '自我学习', '持续改进', and '记忆管理', which can match ordinary user requests and activate a high-privilege skill unexpectedly. Because this skill performs persistence, self-modification, scheduled checks, and upstream tracking, accidental invocation increases the chance of unauthorized local changes or network activity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description openly states that the skill stores memory, appends changelogs, tracks upstream changes, runs periodic self-checks, and pushes changes to GitHub, but it does not prominently warn users that local data may be automatically persisted or modified on a schedule. This is especially dangerous in a self-improving skill because background writes and scheduled actions can alter files, leak data to remote repos, or create ongoing behavior the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The self-check executes a shell script without any explicit warning, dry-run mode, or user confirmation about what actions may occur. That is dangerous because users may trigger potentially state-changing or environment-sensitive behavior under the assumption that 'check' is read-only and harmless.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The remember/forget paths persist and delete long-term memory entries immediately with no consent, confirmation, or visibility to the user. In an agent skill centered on self-improvement and persistent memory, this can silently store sensitive data or erase important records, increasing privacy and integrity risk across future sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
on_delegation automatically writes task and result snippets into HOT long-term memory without user disclosure or approval. Delegated tasks often contain prompts, internal work products, or sensitive user/project details, so this creates a realistic path for unintended retention and later resurfacing.

Ssd 3

Medium
Confidence
88% confidence
Finding
The compression hook instructs the system to preserve all HOT-layer facts in summaries, which can propagate sensitive remembered content into compressed context and increase later disclosure risk. In a persistent-memory skill, this broad carry-forward behavior makes accidental retention of personal, proprietary, or secret data more dangerous over time.

Ssd 3

Medium
Confidence
94% confidence
Finding
The delegation hook semantically promotes task content and results into long-term memory, which risks storing and later exposing sensitive data embedded in delegated work. Because this skill is explicitly designed for continuous self-improvement and reuse of prior context, the stored delegation snippets may be recalled in unrelated future interactions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal