ClawHub
Back to skill

Security audit

Self Improving Agent V2

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent and not malicious, but it asks agents to persist detailed session learnings, promote them into future prompt files, and optionally run hooks broadly without enough scoping or redaction guidance.

Install only if you want persistent agent memory. Keep it project-scoped, avoid the global hook unless you really need it, review the hook scripts before enabling them, and treat .learnings and promoted prompt files as sensitive: redact secrets, customer data, raw prompts, credentials, and unrelated session content before saving or sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using an empty matcher causes the hook to run on every prompt, which broadens execution scope beyond clearly justified cases and increases the chance of unintended activation. In this skill, that means a local shell script is invoked continuously during normal use, creating unnecessary attack surface and operational risk if the script path is replaced, modified, or behaves unexpectedly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The user-level configuration enables the hook across all sessions, including unrelated projects and contexts, which can lead to unintended persistence and ubiquitous command execution. Even if the referenced script is intended to be harmless, globally wiring prompt hooks to shell commands increases the blast radius of any script tampering, misconfiguration, or future behavior changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The main setup instructions tell users to configure automatic execution of local shell scripts on prompt submission without placing a clear warning immediately alongside the setup step. That is dangerous because readers may copy-paste the configuration before understanding that every prompt can trigger command execution with the agent's permissions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill encourages persisting user corrections, requests, and contextual details across sessions in markdown files. That creates a realistic risk of storing sensitive prompts, secrets, internal project details, or personal data in durable locations that may later be read, indexed, synced, or committed.

Ssd 3

High
Confidence
98% confidence
Finding
The documented logging format explicitly tells the agent to store detailed context, command inputs, parameters, and environment details. In practice, those fields often contain API keys, file paths, customer data, prompts, tokens, or internal system information, so the workflow materially increases the chance of sensitive-data retention and later disclosure.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly supports reading other sessions' transcripts and sending learnings across sessions without any stated access-control, consent, or minimization requirements. That creates a strong risk of cross-session data exposure, where one task can surface sensitive material from unrelated sessions and propagate it further.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
79% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal