Evolution Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent-improvement toolkit, but it retains private workspace-derived profiles and can send playbook/test data to Gemini with insufficient disclosure.

Install only if you want persistent local agent-memory analysis. Use a dedicated workspace, keep secrets and sensitive customer/internal content out of memory logs and optimizer test cases, review files written under memory/, and use a limited Gemini/Google API key only after confirming the configured data is safe to send externally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The README makes a trust-building claim that the packaged scripts do not depend on credentials, yet the documented optimizer explicitly looks for API keys from environment variables and workspace secret files. This kind of misleading documentation can cause operators to install and run the toolkit under incorrect assumptions about secret access, increasing the risk of unintended credential exposure or overbroad trust in the package.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The usage text documents several invocation modes but omits that a normal single-file run persists derived fingerprints to disk by default. Because the script analyzes potentially sensitive user text and stores behavioral/"cognitive" metadata under a workspace path automatically, this creates a privacy and transparency issue: users may expose sensitive derived data without informed consent.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script advertises a dry-run mode but still appends optimization history to a persistent file via saveHistory(history). That can leak sensitive prompts, model outputs, and metadata to disk even when an operator reasonably expects no state changes or artifact persistence, undermining privacy and operational expectations.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The protocol says it should be integrated into the default engagement style and read before any non-trivial problem, which makes activation scope unusually broad. In a safety context, broad always-on behavioral overlays can override task-specific constraints, degrade responsiveness, and inappropriately steer unrelated conversations into a prescribed interaction pattern.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The phase-detection logic maps very common phrases like 'I think', 'Should I', and 'Build' to behavioral modes, creating a high risk of accidental triggering during normal conversation. Misclassification can push the agent into devil's-advocate, non-recommendation, or fast-execution behaviors at the wrong time, which may conflict with user intent or safety-sensitive guidance.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically saves a fingerprint whenever exactly one file is processed, unless the user explicitly supplies --no-save. Since fingerprints are derived from arbitrary input text and are labeled/timestamped, this creates silent retention of potentially sensitive behavioral metadata in a persistent local store, which is especially risky in an agent/workspace context where inputs may contain private notes, prompts, or journal entries.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script enumerates and reads daily memory logs, then generates a synthesized report that can aggregate sensitive personal or operational information into a new artifact. Even if this is the stated purpose of the tool, the lack of an explicit privacy notice, consent prompt, or data-minimization controls increases the risk of unintended disclosure and makes sensitive-data processing less transparent to the user.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: generateOutput sends the full test case and full playbook content to Google's external Gemini API. In a skill-optimization context, those inputs may contain proprietary prompts, customer data, or internal procedures, so transmitting them off-host without clear disclosure or consent creates a real confidentiality and data-governance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: evaluateOutput sends generated output plus test-case data to the same external API for scoring, which can compound exposure by transmitting both source inputs and potentially sensitive generated artifacts. Because this occurs automatically during evaluation, users may unintentionally disclose confidential content multiple times per iteration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal