Self-Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed self-improvement tool, but it broadly records work sessions and can change future agent behavior, so users should review it carefully before installing.

Install only if you intentionally want the agent to keep durable learning records and propose changes to skills. Use explicit opt-in triggers, review every proposed memory or skill write, avoid using it on sensitive projects or secrets, and periodically inspect or delete the memory/self-improving files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill defines automatic triggers for broad, routine events like task completion, errors, and session end, which can cause the self-improvement workflow to activate during normal operation without a narrowly scoped user request. In a self-modifying or memory-writing skill, unintended invocation increases the chance of persistent state changes, noisy memory accumulation, or repeated prompts for approval at inappropriate times.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manual trigger phrases include generic expressions such as '总结经验' and '从经验中学习' that can plausibly appear in ordinary conversation, making accidental activation more likely. Because this skill stores memory and proposes future skill changes, ambiguous invocation can lead to unintended analysis of conversations and unnecessary persistence of session data.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill is framed as a universal system that activates on broad conditions like important tasks and conversation end, which can cause the agent to invoke memory collection and update workflows without clear user intent for a specific bounded operation. In practice, overly broad activation increases the chance of unintended persistence, review of unrelated context, and triggering self-modification logic during routine interactions.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The manual triggers include vague phrases such as requests to improve a workflow or summarize experience, without requiring confirmation that the user wants persistent learning or file updates. This ambiguity can cause the skill to interpret normal requests as authorization to inspect memory, retain data, or propose modifications beyond the user's expectations.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to always read core memory and today's memory, then maintain dedicated semantic, episodic, and working memory stores for ongoing learning. This creates a broad retention surface for user/task context in natural language, increasing the likelihood of collecting sensitive information and resurfacing it in later sessions or contexts.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The experience extraction and episodic logging templates capture task details, outcomes, root causes, and user feedback, then consolidate them into long-term memory. Because the stored content is plain-language operational history, it can easily include confidential prompts, code details, errors, or personal data that later become accessible outside the original context.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Appending session summaries and high-confidence patterns into shared agent memory increases cross-context data exposure because future tasks may read these files and inherit prior user information. Even with confirmation, this design encourages propagation of session-derived details into broadly consulted memory locations, raising the risk of unauthorized disclosure and prompt contamination.

Self-Modification

High

Category: Rogue Agent
Content: Confirm this update? (yes/no/modify) ``` Once confirmed, update skill files with **evolution markers** for traceability: ```markdown
Confidence: 98% confidence
Finding: update skill

Self-Modification

High

Category: Rogue Agent
Content: ### DON'T - **NEVER modify skill files or Agent memory files without user confirmation** — this is a hard rule with no exceptions - **NEVER overwrite** Agent memory content — always append at the end - Over-generalize from a single experience — wait for 2-3 occurrences before creating a pattern - Update skills without confidence tracking
Confidence: 89% confidence
Finding: modify skill

Self-Modification

High

Category: Rogue Agent
Content: - **NEVER modify skill files or Agent memory files without user confirmation** — this is a hard rule with no exceptions - **NEVER overwrite** Agent memory content — always append at the end - Over-generalize from a single experience — wait for 2-3 occurrences before creating a pattern - Update skills without confidence tracking - Ignore negative feedback — it's the most valuable signal - Make changes that break existing, working functionality - Create contradictory patterns — resolve conflicts explicitly
Confidence: 87% confidence
Finding: Update skill

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal