ClawHub
Back to skill

Security audit

Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed self-improvement logger with opt-in reminders and persistent notes, but users should scope its memory and hook behavior carefully.

Install if you want persistent learning notes and reminders. Prefer project-local .learnings and project-scoped hooks, avoid user-level always-on hooks unless you want this in every workspace, redact secrets and raw transcripts, and review any entry before promoting it into files that future agents will automatically read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The manifest frames the skill as a logging utility, but the body also describes prompt-injection hooks, output scanning, cross-file promotion into persistent agent context, and skill generation. That mismatch can mislead users and reviewers about the actual authority and side effects of the skill, increasing the chance that broader persistence and behavior-shaping features are enabled without informed consent.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill documents the ability to read session history and send information across sessions, which expands its reach from local note-taking into inter-session data movement. Even though it says to use these only in trusted environments and with explicit user intent, this creates a pathway for transcript leakage, unintended disclosure, or persistence of sensitive context beyond the current session.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill encourages promotion of learnings into broad instruction files such as CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, and Copilot instruction files. Those files can persistently shape future agent behavior, so a logging skill effectively becomes a mechanism for durable prompt modification, which is more sensitive than simple note capture.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatically extracting learnings into new skills turns a passive logging tool into an authoring mechanism that can create reusable agent capabilities on disk. If the source learning is incomplete, poisoned, or adversarially influenced, this can propagate unsafe behavior into future sessions and make review harder.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section is internally inconsistent: it says the scripts 'only output text' and 'don't modify files or run commands,' while the hook configuration explicitly invokes shell scripts via the command hook mechanism. This can mislead users into underestimating the trust boundary and execution risk of enabling these hooks, especially since shell scripts inherently execute in the user's environment with the agent's permissions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using an empty matcher for UserPromptSubmit causes the hook to run on every prompt, creating an overly broad trigger surface. In a self-improvement skill, this increases the chance of unnecessary context injection, accidental exposure of sensitive prompt content to hook logic, and persistent execution of a local script in situations where it is not needed.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The user-level configuration recommends global activation from the user's home directory without meaningful trigger constraints, expanding the hook's scope across all projects and sessions. This increases persistence and blast radius: any flaw, misbehavior, or future change in the script affects all use of the agent rather than a single repository.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex example also uses an empty matcher, so the hook will trigger on every prompt with no task-based restriction. Because this skill is designed to run frequently and influence future behavior, broad unconditional activation increases the chance of unnecessary execution, prompt overcollection, and hard-to-audit persistent behavior across developer workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
83% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
88% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.