Back to skill

Security audit

Self-Improving Agent (ORBIT)

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is transparent about keeping agent learning notes, but it can persist and reuse conversation-derived context without enough privacy or review boundaries.

Install only if you want persistent agent memory. Keep logs local when possible, redact secrets, credentials, customer data, private prompts, and personal details before writing entries, and manually review anything promoted into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, or Copilot instructions. Avoid global hooks unless you are comfortable with reminders running across all projects, and verify the package slug/source before installing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section materially misrepresents hook behavior by stating the scripts only output text and do not run commands, even though they are explicitly configured as command hooks and one referenced script creates scaffolding. This can cause operators to underestimate execution risk, grant hooks unnecessary trust, and deploy them in sensitive environments without appropriate review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages persistent logging of learnings, errors, user corrections, and promotion into shared memory targets, but does not warn about secrets, personal data, tokens, or confidential business information being captured. In practice, this omission can cause sensitive conversational or system data to be written into local files and then propagated into broader agent context, increasing accidental disclosure risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using an empty matcher causes the hook to run on every prompt, creating an overly broad trigger surface for automatic command execution. In a self-improvement skill, that means the activator can inject content or run logic continuously across unrelated tasks, increasing the chance of prompt-context manipulation, unnecessary data exposure, or unintended side effects.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The user-level configuration enables global activation of the hook across sessions without clear constraints on when it should run. That broadens persistence and blast radius: a single configuration change affects all projects and prompts, which is especially risky for a skill designed to influence future behavior and capture learnings.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs the agent/operator to persist 'learnings' into workspace files without any warning to avoid storing secrets, personal data, tokens, or sensitive transcripts. In a self-improvement skill, failures and corrections often contain exactly that kind of sensitive context, so persistent storage increases the chance of unintended retention and later disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes reading other sessions' transcripts and sending messages across sessions without any privacy, scope, or consent boundaries. That creates a real risk of unnecessary lateral data exposure between sessions, especially if one session contains sensitive user inputs, credentials, or internal context that another session does not need.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to persist user corrections, requests, knowledge gaps, and other conversational context into markdown files for later reuse. Because the content is natural language and intentionally cross-session useful, it can easily contain sensitive prompts, proprietary details, or personal information that later becomes visible to other tasks, agents, or repository collaborators.

Ssd 3

High
Confidence
98% confidence
Finding
These sections direct the agent to record full context, inputs, parameters, user context, and error details in persistent files. That level of detail creates a substantial risk of storing API keys, file contents, customer data, internal URLs, stack traces with secrets, or other sensitive information in plain-text markdown that may be synced, committed, or reused later.

Ssd 3

High
Confidence
98% confidence
Finding
The inter-session features explicitly mention reading another session's transcript and sending learnings to other sessions. In the context of a memory/logging skill, that materially increases disclosure risk because sensitive natural-language content can move across session boundaries without strong access controls, data minimization, or user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.