ClawHub

Self Improvement Ai

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent self-improvement logger, but it asks agents to persist and share session learnings in ways that could expose sensitive conversation or command details without enough scoping or redaction guidance.

Install only if you want persistent learning logs and optional reminder hooks. Keep the hooks project-scoped when possible, review entries before promotion into agent instruction files, and do not log raw secrets, tokens, customer data, private transcript excerpts, full environment dumps, or unreviewed command output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document's security section is internally inconsistent: it says the scripts 'only output text' and 'don't modify files or run commands,' yet the setup explicitly configures the agent to execute shell scripts via hook commands. That can mislead users into underestimating the trust and execution risk of these hooks, especially because shell scripts run with the agent user's privileges and may perform arbitrary actions if changed or replaced.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs agents to log user corrections, errors, and learnings into persistent files without requiring redaction or consent checks. That creates a real risk of storing sensitive user content, proprietary information, or secrets in markdown logs that may later be shared or committed.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly promotes reading other sessions' transcripts and sending learnings across sessions without any privacy boundary, need-to-know restriction, or consent model. This can disclose sensitive conversation data across agents or sessions in plain language and materially expands the blast radius of any sensitive input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Encouraging storage of command inputs, parameters, environment details, and promotion to shared files can easily capture secrets such as API keys, internal hostnames, tokens, or customer data. Without warnings or redaction requirements, this creates persistent secret leakage risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
An empty matcher causes the hook to run on every prompt, greatly expanding the trigger surface and normalizing automatic command execution for all interactions. In a self-improvement skill, that means unneeded code execution on routine prompts and more opportunities for misuse, prompt-triggered side effects, or noisy persistence.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The user-level example installs a global hook with an empty matcher, causing automatic execution across all sessions and repositories. This increases blast radius because any future work context inherits the behavior, including unrelated or sensitive projects where the hook may expose data or create unintended persistence-like behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Although labeled 'minimal,' this configuration still executes a shell hook on every prompt because the matcher is empty. Reducing the number of hooks lowers overhead but does not address the core risk of broad, automatic activation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example repeats the same broad pattern by attaching a command hook to every prompt with no filtering. Because this is documentation intended for reuse, it propagates an insecure default across environments and makes unnecessary command execution part of ordinary prompt handling.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persisting user and session content to local files is a genuine data-handling risk because it turns transient conversation content into durable storage. In environments where workspaces are synced, shared, or committed, this can expose sensitive operational or personal information beyond the original session.

Ssd 3

High
Confidence
99% confidence
Finding
Cross-session transcript access and messaging materially increase the chance of unauthorized disclosure because one session can mine another's history and redistribute learnings. In a multi-agent workspace, this undermines isolation assumptions and can leak sensitive instructions, credentials, or business context across tasks.

Ssd 3

High
Confidence
98% confidence
Finding
The prescribed logging schema asks for full context, actual error output, inputs, parameters, and user context, which strongly encourages copying sensitive material verbatim into persistent files. Error outputs and command parameters commonly contain secrets, paths, internal URLs, or customer data, making this a realistic leakage vector.

Ssd 3

Medium
Confidence
91% confidence
Finding
Automatically logging when the user provides new information encourages retention of user-supplied content as memory without assessing whether that information is sensitive or intended for long-term storage. This can normalize collecting and persisting confidential facts merely because they were useful.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
74% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal