Handy01 Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a local self-improvement logger with a broad auto-analysis claim, but its artifacts show no hidden execution, network access, credential access, or destructive behavior.

Install only if you are comfortable with local improvement notes being written to an improvement_log.md file in the OpenClaw workspace. Avoid enabling automatic post-session analysis for sensitive chats unless your host provides clear opt-in, scoping, and deletion controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The statement that the skill 'automatically analyzes conversations after each session' creates an overly broad trigger with no scope, consent boundary, or data minimization rule. In practice, this can cause the skill to process every conversation indiscriminately, including sensitive sessions, and to do so without clear user awareness or control.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill promotes automatic conversation analysis and use of a persistent improvement log, but it does not warn users that their conversations may be inspected and stored. This lack of disclosure increases privacy risk because users may share sensitive information without realizing it will be analyzed or written to disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal