Back to skill

Security audit

Skill Gitee

Security checks across malware telemetry and agentic risk

Overview

This looks like a real self-improvement logging skill, but it needs review because it can persist agent behavior, enable broad automatic hooks, and has inconsistent package metadata.

Install only after reviewing the publisher, correcting the skill identity/dependency mismatch, and deciding whether you really want persistent learning files and hooks. Prefer project-scoped setup, avoid global empty-matcher hooks, require explicit approval before writing to CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, or Copilot instructions, and keep logs sanitized with no secrets, tokens, raw transcripts, or sensitive business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill instructs writing beyond local learning logs into broader behavioral and memory files such as CLAUDE.md, AGENTS.md, SOUL.md, and TOOLS.md. That creates a self-modifying prompt surface where temporary observations can become durable instructions, potentially altering future agent behavior without strong approval boundaries.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill introduces cross-session transcript access and messaging despite being framed as a learning logger. Accessing session history or sending learnings to other sessions increases the risk of privacy leakage, unintended data propagation, and context mixing across tasks or users if used without strict trust and consent controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The hook-based setup causes automatic execution on prompt submission and optionally after Bash tool use, allowing the skill to inspect ongoing interactions and command outcomes. Even if intended for reminders or error detection, this expands the skill from passive documentation into ambient monitoring, which can capture sensitive content or create surprising persistence behavior.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill includes functionality to extract new reusable skills from accumulated learnings, which goes well beyond simple note-taking. This is risky because it turns logged content into executable or reusable agent instructions, potentially propagating mistakes, unsafe practices, or adversarially influenced guidance into new trusted artifacts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that the scripts 'only output text' and 'don't modify files or run commands,' but the configuration explicitly defines them as hook commands executed by the host. This misleading assurance can cause operators to under-trust the risk of enabling arbitrary shell scripts that execute automatically in response to prompts or tool events.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough to trigger during many normal interactions, including ordinary corrections, API failures, or discovery of a better approach. Over-broad activation increases the chance of unnecessary logging, file modifications, and normalization of persistence behavior in contexts where the user did not intend any durable record.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases overlap with common conversational language like ordinary corrections or feature questions, with no strong exclusion criteria. That can cause the skill to over-collect routine chat into persistent logs, increasing privacy and noise risks while training agents to persist more than necessary.

Vague Triggers

Medium
Confidence
89% confidence
Finding
An empty matcher causes the hook to run on every prompt, which broadens activation far beyond exceptional learning/error cases. In this skill context, that means automatic execution of local scripts on all routine interactions, increasing exposure to prompt-derived data handling, accidental sensitive-context processing, and persistent overhead.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using an empty matcher in user-level configuration enables automatic script execution for every prompt across all projects, expanding the blast radius from one repository to the entire user environment. This is more dangerous than project-local scope because unrelated workspaces and potentially sensitive prompts are all subjected to the hook.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'minimal setup' still triggers on every prompt, so it reduces only the number of hooks, not the breadth of automatic execution. In a self-improvement skill, this can normalize pervasive interception of agent interactions instead of limiting activation to meaningful failure or correction scenarios.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The Codex example also uses an empty matcher, causing broad activation on routine prompts and replicating the same overreach in another agent environment. Cross-tool guidance increases the chance that users adopt unsafe defaults widely, making the issue systemic rather than isolated.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger definitions are broad enough that ordinary model mistakes, tool errors, or ambiguous 'behavior surprises' could cause automatic logging of content into persistent files. In a self-improvement skill, that raises a real risk of over-collection and unintended retention of sensitive prompts, outputs, or environment-specific details, even if the document does not explicitly instruct exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide promotes writing learnings into workspace files and `.learnings/` as a normal workflow, but it does not pair that with clear restrictions on sensitive or user-specific data. Because these files are persistent and may later be injected back into future sessions, accidental storage of secrets, private data, or unsafe instructions can compound over time.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
81% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.