ClawHub

Self Improving Agent Local

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill appears non-malicious, but it needs review because it can persist sensitive session-derived content and alter future agent instructions broadly.

Install only if you intentionally want an agent to maintain persistent local learning files and influence future agent behavior. Prefer project-local hooks over global hooks, avoid empty always-on matchers where possible, review entries before promotion, and do not store secrets, credentials, personal data, private transcripts, or sensitive business context in the learning or memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document’s security section says the hook scripts only output text and do not run commands, but the configuration explicitly registers shell scripts as command hooks and also references an extraction script that creates skill scaffolding. This is misleading security documentation: operators may grant trust or broader deployment based on false assumptions, increasing the chance that command-executing hooks run with unnecessary privileges or scrutiny bypass.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using an empty matcher causes the activator hook to run on every prompt, which broadens the trigger surface without meaningful scoping. In a self-improvement skill that injects reminders into context on every interaction, this creates persistent prompt-level influence and raises the risk of context pollution, unintended behavior shaping, or abuse if the script output is ever modified.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The guide recommends user-level global activation in ~/.claude/settings.json without narrowing conditions, causing the hook to affect all projects and sessions. That persistence makes the behavior more dangerous because a single trusted setup propagates prompt injection or operational influence across unrelated repositories, including sensitive ones.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages durable logging of errors, corrections, and user-provided context, and later promotion or sharing of those learnings across files and sessions. Without data minimization, redaction, or consent gates, this can persist sensitive conversational content, secrets, internal paths, or proprietary business context in plaintext memory stores.

Ssd 3

Medium
Confidence
96% confidence
Finding
The feature-request template directs capture of requested capability and user context in a durable file, which can encode sensitive business intent, roadmap information, or personal data. Because the guidance normalizes persistent storage of semantically rich user needs, it creates a realistic privacy and data leakage risk even without explicit secrets.

Ssd 3

Medium
Confidence
98% confidence
Finding
The error template requests raw error output, inputs, and environment details, all of which commonly contain secrets such as API keys, tokens, connection strings, file paths, internal hostnames, or customer data. Persisting this material in markdown significantly increases exposure surface and can convert transient secret disclosure into durable compromise.

Ssd 3

Medium
Confidence
96% confidence
Finding
The inter-session features explicitly describe reading transcripts and sending learnings across sessions, which expands the audience and lifetime of potentially sensitive conversation data. Cross-session sharing magnifies privacy and confidentiality risks because information disclosed in one task can be replicated into other contexts without clear authorization or need-to-know boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal