Back to skill

Security audit

My skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed self-improvement logger with optional reminder hooks, but users should be careful because it can create persistent agent memory files.

Install this only if you want agents to keep persistent learning notes. Prefer project-local .learnings folders, avoid global all-prompt hooks unless you really want them, review hook scripts before enabling, and never store secrets, tokens, raw transcripts, or sensitive command output in learning or prompt-injected files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document states that the scripts 'only output text' and 'don't modify files or run commands,' but the configured hooks explicitly invoke shell scripts as commands. That mismatch can cause operators to underestimate execution risk and grant broad trust to code that runs automatically on prompt submission or after tool use, increasing the chance of unsafe script behavior going unnoticed.

Vague Triggers

Medium
Confidence
87% confidence
Finding
An empty matcher on UserPromptSubmit causes the hook to fire for every prompt, creating a broad automatic execution surface. In this skill's context, that means a shell script runs on all interactions, which increases exposure to prompt-flow interference, unnecessary processing, and abuse if the script is modified or compromised.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The user-level configuration recommends global activation with an empty matcher, so the hook runs across all projects and prompts. That expands the blast radius from one repository to the user's entire environment, making accidental leakage, unwanted behavior, or execution of altered scripts significantly more dangerous.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Codex CLI example also uses an empty matcher, so the command hook executes on every prompt without task-level scoping. This broad trigger can interfere with normal workflows and creates a persistent, automatic execution path that is hard for users to reason about safely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document encourages promoting session-derived 'learnings' into persistent workspace files such as SOUL.md, TOOLS.md, and AGENTS.md, but it does not warn users to exclude secrets, personal data, tokens, or sensitive transcript content. In an agent system that injects these files into future sessions, this creates a durable prompt/context channel where sensitive information can be unintentionally retained and repeatedly exposed.

Self-Modification

High
Category
Rogue Agent
Content
[ -f .learnings/FEATURE_REQUESTS.md ] || printf "# Feature Requests\n\nCapabilities requested by the user.\n\n---\n" > .learnings/FEATURE_REQUESTS.md
```

Never overwrite existing files. This is a no-op if `.learnings/` is already initialised.

Do not log secrets, tokens, private keys, environment variables, or full source/config files unless the user explicitly asks for that level of detail. Prefer short summaries or redacted excerpts over raw command output or full transcripts.
Confidence
88% confidence
Finding
overwrite existing file

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
90% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.