ClawHub
Back to skill

Security audit

自我成长

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for logging agent learnings, but it broadly persists conversation-derived context and can promote or share it across future sessions without enough privacy and scope controls.

Install only in trusted workspaces where you are comfortable with persistent learning notes. Before enabling hooks or promotion, scope hooks to specific projects, avoid global always-on setup unless needed, and add a rule to store only sanitized summaries. Do not log secrets, tokens, personal data, private transcripts, raw command output, internal URLs, or proprietary details, and review anything before promoting it into agent instruction or workspace memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document normalizes cross-session transcript access, messaging, and spawning as part of a self-improvement integration even though those capabilities exceed the stated purpose of simple learning capture. Expanding a memory/logging skill into session discovery and inter-session communication increases the attack surface for prompt-context leakage, unintended data sharing, and misuse of other sessions' transcripts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The promotion workflow instructs users to move learnings into AGENTS.md, SOUL.md, and TOOLS.md, which are injected into future sessions as broad behavioral context. That turns localized operational notes into persistent prompt-shaping state, enabling accidental or adversarial contamination of future agent behavior far beyond the original self-improvement logging use case.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The detection triggers use broad natural-language phrases such as common corrections and feature questions, which can cause the skill to activate in ordinary conversation and persist data unexpectedly. In a system that auto-loads or auto-invokes skills, overbroad triggers increase the chance of unintended file writes and retention of user content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to write to `.learnings/` and other local files without an upfront warning that this modifies persistent project or workspace state. Users may not realize their prompts, corrections, or operational details are being stored on disk, which creates consent and data-handling risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The hook setup enables automatic command execution after prompts and tool use, causing recurring reminders and error logging with persistent side effects. Without a strong upfront warning and consent boundary, this can surprise users and continuously capture data beyond the immediate task.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The user-level configuration enables the hook globally with an empty matcher, causing the script to run for every prompt across all projects and contexts. Because hooks execute local commands with the agent's permissions, this broad persistent scope increases the blast radius of any bug, later script modification, or accidental data capture, especially when prompts may contain secrets or sensitive project data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide recommends logging behavioral, tool, and workflow learnings to persistent files and potentially sharing them across sessions without warning that these records may contain sensitive prompts, errors, credentials, or internal context. In a self-improvement skill, omission of persistence and privacy warnings makes accidental retention and later disclosure of sensitive data materially more likely.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill broadly directs logging of user corrections, requests, failures, and contextual details into persistent files, which creates a clear data retention risk. Because these categories often contain secrets, proprietary task context, or personal data, routine use can leak sensitive information into workspace artifacts that may later be shared or committed.

Ssd 3

High
Confidence
96% confidence
Finding
The skill explicitly encourages reading other sessions' transcripts and sending learnings across sessions without defining privacy, need-to-know, or sanitization boundaries. Cross-session sharing materially increases exposure of sensitive content because information collected in one context can be propagated into another without user awareness.

Ssd 3

High
Confidence
97% confidence
Finding
The logging templates ask for full context, input parameters, user context, and actual error output, all of which frequently contain secrets, internal paths, credentials, stack traces, or sensitive business data. Persisting these verbatim turns ephemeral prompt/tool data into durable artifacts that are easy to leak through sync, commits, or later prompt injection.

Ssd 4

Medium
Confidence
89% confidence
Finding
The workflow promotes logged learnings into persistent agent-context files such as `CLAUDE.md`, `AGENTS.md`, and similar instruction sources, creating a pathway for untrusted conversational content to become future behavioral guidance. Over time, this can function as a prompt-persistence mechanism where accidental or adversarial content gains amplified influence across later sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal