Back to skill

Security audit

Self-Improve

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent, but it should be reviewed because it can repeatedly scan agent memories and store shared long-term outputs.

Install only if you intend to run a team-wide memory-learning system. Before enabling Cron, restrict workspace_root and knowledge_root, review proposals/PENDING.md, disable unneeded modules and blog/publication outputs, and define clear rules for redaction, retention, per-agent consent, and deletion of sensitive conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The engine explicitly instructs itself to scan other agents' session logs and write results to a shared location readable by all agents. That creates a direct cross-agent data exposure channel, allowing sensitive prompts, secrets, user data, or internal reasoning from one agent context to be propagated into another without consent or need-to-know boundaries.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The runtime materially expands the skill from internal self-improvement into generating unrelated outputs such as blog posts, methodologies, business insights, and articles. This scope creep increases the chance that sensitive internal memory logs or agent-derived content are repurposed into external-facing artifacts without clear authorization, violating least privilege and creating data leakage risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The runtime explicitly defines a flow from internal analysis to draft creation and publication to a blog platform. Turning internal self-improvement material into publishable content without strong consent, review, and sanitization controls creates a direct exfiltration path for sensitive operational data, prompts, user content, or proprietary methodology.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Writing to external learned/business and methodologies directories extends the skill's write surface beyond its own workspace without clear justification in the manifest. This breaks containment expectations, can persist derived data in less-monitored locations, and may enable unintended cross-skill data sharing or leakage of sensitive information.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document authorizes automatic scanning of all agents' memory directories under the workspace, which expands data access far beyond the minimum needed for self-improvement. In a multi-agent or multi-user environment, this can expose unrelated private context, sensitive operational data, and cross-agent information without clear per-agent consent or scope restrictions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script trusts SELF_IMPROVE_ROOT or the current working directory as the root for all operations, then reads and writes config.yaml and manages module directories beneath it. In a security-sensitive self-improvement skill, allowing the effective root to be environment-controlled broadens file-system reach beyond the stated purpose of proposing improvements with approval, and can lead to unintended modification of arbitrary directories if the script is invoked in an untrusted environment.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
addModule creates directories and writes new MODULE.md files based on unvalidated module names. This exceeds a narrow 'learn and propose improvements' role and introduces direct mutation of skill content, which becomes risky when combined with a caller-controlled root and unsanitized names that may contain path traversal segments.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
removeModule performs recursive deletion with rmdirSync(moduleDir, { recursive: true }) after constructing moduleDir from a potentially unvalidated name and a configurable root. In the context of a self-improvement skill that is supposed to propose changes for approval, this enables irreversible removal of skill content rather than merely suggesting edits, substantially increasing the damage from misuse or path manipulation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The file defines a scheduled cron trigger and also references an independent execution path via execution.md without clear activation constraints, authorization checks, or scope limits. Ambiguous triggering increases the chance of unintended runs, duplicated writes, or unauthorized invocation of modification flows outside the expected approval process.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill allows agents to automatically create new directories and files without asking in advance, while the overall system performs broad self-modifying data writes. This can surprise users, expand persistence surface area, and create uncontrolled sprawl or placement of sensitive derived data into new locations without meaningful notice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it reads each agent's session logs and writes shared results, but does not present this as a privacy-sensitive operation or require informed consent. Because session logs may contain secrets, personal data, and privileged context, the missing warning and controls materially increase the risk of silent privacy violations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The runtime describes generating drafts, business insights, methodologies, and publishing outputs, but provides no user warning or consent model regarding privacy, confidentiality, or downstream disclosure. In a self-improvement context that processes memory logs and lessons, this omission is dangerous because internal or user-derived data may be transformed and exposed without informed approval.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manual trigger phrase "learn and improve" is broad enough to match ordinary conversational requests, which can cause the self-improvement workflow to run unintentionally. In this skill, that risk is amplified because execution can scan memory logs and propose changes to system files, so accidental activation may initiate sensitive analysis or modification workflows without clear user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The system describes automatic scanning of conversation and memory data across agents without a prominent user-facing warning, informed consent flow, or privacy boundary explanation. Because the framework is designed for persistent scheduled collection, the lack of transparent disclosure materially increases the chance of covert retention or overcollection of sensitive data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists arbitrary free-text feedback hints to local JSONL files without any notice, consent flow, or data minimization. Because hints can easily contain sensitive user content, credentials, proprietary prompts, or personal data, this creates an avoidable privacy and data-retention risk rather than a direct code-execution issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Negative-feedback hints are duplicated into a second file, corrections.md, which expands the persistence surface and increases the chance that sensitive text is later consumed by humans or downstream automation. This secondary storage happens automatically and without explicit disclosure, making accidental leakage and over-retention more likely.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script trusts SELF_IMPROVE_ROOT to determine the base directory for all reads and writes, then writes files such as data/index.md and memory files under that path without validation or disclosure. In an agent or automation context, a manipulated environment could redirect writes into an unintended workspace or sensitive location, causing data corruption, overwrite of attacker-chosen files within reachable paths, or leakage through indexed content.

Ssd 3

High
Confidence
98% confidence
Finding
This is a clear natural-language data leakage pathway: the engine is instructed to ingest all agents' session logs and emit shared outputs readable by all agents. Even if intended for learning, this design can leak confidential user data, credentials, or sensitive operational context across trust boundaries and make later resurfacing likely.

Ssd 3

Medium
Confidence
88% confidence
Finding
The execution flow directs broad collection from memory logs and prior reflections into persistent feedback, profile, and learned knowledge artifacts. Persistent aggregation of conversational and reflective material increases the chance that sensitive user-provided information will be retained, generalized, and resurfaced later in contexts where it no longer belongs.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Applied 3 times/7 days → Elevate to HOT
- Unused for 30 days → Demote to WARM
- Unused for 90 days → Archive to COLD
- Never automatically deleted

---
Confidence
72% confidence
Finding
automatically delete

Session Persistence

Medium
Category
Rogue Agent
Content
# 3. Check Cron suggestions
cat proposals/PENDING.md

# 4. Add Cron Task to OpenClaw configuration
```

---
Confidence
83% confidence
Finding
Add Cron Task to

Session Persistence

Medium
Category
Rogue Agent
Content
### During Daily Work
- When user corrects you → Record to corrections.md
- After completing important Tasks → Write self-reflection to reflections.md
- When discovering reusable Rules → Record to corrections.md
- When Rules involve system file modifications → Write to proposals/PENDING.md
```
Confidence
80% confidence
Finding
Write self-reflection to reflections.md - When discovering reusable Rules → Record to corrections.md - When Rules involve system file modifications → Write to proposals/PENDING.md ``` --- ## Not a S

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.