aaaa

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real self-improvement skill, but it needs Review because it can persist and promote conversation-derived content into future agent instructions with weak scoping and redaction guidance.

Install only if you intentionally want durable learning logs and prompt-file promotion. Keep it project-scoped where possible, review any hook before enabling it globally, redact secrets and personal data before logging, and require human review before copying learnings into AGENTS.md, SOUL.md, TOOLS.md, MEMORY.md, CLAUDE.md, or Copilot instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document claims the hook scripts 'only output text' and 'don't modify files or run commands,' but the configuration explicitly invokes shell scripts as commands, and one documented script scaffolds new skills. This mismatch can mislead users into granting trust or enabling hooks under false assumptions, increasing the chance of unintended code execution or file changes in the agent's runtime context.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The guide expands a narrowly scoped self-improvement skill into writing or promoting content into global prompt files like AGENTS.md, SOUL.md, and TOOLS.md. That creates a persistent prompt-injection pathway where transient observations can alter future agent behavior, coordination rules, or tool usage outside the original skill purpose.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Documenting cross-session history access, messaging, and spawning in a self-improvement integration materially expands the capability surface beyond simple learning capture. In this context, those features can enable lateral movement between sessions, inspection of unrelated conversations, and propagation of injected or sensitive content across agent boundaries.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance is very broad and can match many ordinary interactions such as corrections, routine failures, or discovering a better approach. In practice this can cause over-activation, leading the agent to persist conversation-derived content or alter memory files in situations where the user did not intend any long-term retention.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The detection triggers rely on common conversational phrases like corrections or feature questions that appear in normal chat. This creates a realistic risk of automatic logging or memory updates from incidental user language, increasing unwanted retention and propagation of potentially sensitive content.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Using an empty matcher causes the activator hook to run on every prompt, creating a broad automatic trigger surface for all user interactions. In a self-improvement skill, this expands the scope of prompt interception and increases the chance of unnecessary context injection, sensitive prompt exposure to hook logic, or abuse if the script is altered.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The user-level configuration enables the hook globally across sessions, extending automatic script execution beyond a single project and reducing scope control. If the hook script is changed, compromised, or simply too intrusive, the impact affects all future interactions rather than one repository.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Using 'Knowledge gaps' as a trigger is overly broad and can cause frequent automatic activation when the model is uncertain, outdated, or simply asking clarifying questions. That increases the chance of unnecessary persistence of user content, model speculation, or sensitive context into learning stores without clear boundaries.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger 'Skill issue' is underspecified and leaves activation to subjective interpretation, which can cause arbitrary logging or workflow changes. Ambiguous triggers are dangerous in prompt-driven systems because they let benign interaction patterns mutate into persistence or coordination actions without reliable safeguards.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation instructs users to persist learnings to files but does not warn against storing secrets, personal data, access tokens, internal prompts, or other sensitive material. Persistent memory files can become a long-lived disclosure source for later sessions, other skills, backups, or local users.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The logging templates explicitly encourage storing full context, user corrections, inputs, parameters, error output, and related files in persistent markdown. That can capture secrets, proprietary prompts, personal data, or sensitive operational details and retain them across sessions, creating a clear data minimization and privacy risk.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The inter-session communication section encourages reading other sessions' transcripts and sending learnings across sessions. Without strict scoping and sanitization, this can expose private conversation content to unrelated sessions, agents, or operators and amplify the blast radius of any sensitive data captured earlier.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal