Meta Skill Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it encourages broad persistent logging of tasks, prompts, context, and errors without enough privacy controls.

Install only if you are comfortable with the skill keeping a local history of prompts, task context, errors, outcomes, and tool parameters. Avoid auto-recording sensitive work unless you add redaction, retention limits, a way to inspect/delete stored records, and a clearly chosen storage path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill advertises optimization and learning behavior but does not declare the effective read/write capabilities implied by persistent knowledge storage and execution recording. Undeclared filesystem access weakens reviewability and user consent, and in a self-improving skill it can enable silent retention of prompts, results, or other sensitive context.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose understates important behaviors including persistent local storage, knowledge export, and experience merging. That mismatch is dangerous because users may enable the skill expecting benign prompt optimization while it also accumulates and transfers historical execution data, which increases privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill encourages collecting broad feedback and execution results without warning that prompts, context, outputs, and errors may contain secrets, personal data, or proprietary material. In a meta-optimizer, this context is especially sensitive because it aggregates across many tasks and can become a durable dataset of user behavior and confidential content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The optimizer silently persists operational data to a predictable local file under the user home directory without any notice, consent, retention control, or permission hardening. In a self-improving skill, tasks, contexts, outcomes, and prompts can contain sensitive user or system data, so undisclosed persistence materially increases privacy and data-handling risk.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The instruction to 'Record Everything' combined with automatic execution hooks promotes indiscriminate logging of all contexts and results. In practice this can capture credentials, tokens, personal data, file contents, and sensitive business information, and the self-improvement design makes the accumulation persistent and reusable across future tasks.

Ssd 3

Medium

Confidence: 97% confidence
Finding: `record_success` and `record_failure` store arbitrary `task`, `approach`, `context`, `outcome`, `error`, and `lesson` data verbatim. Because this skill is designed to learn from prior interactions, it is especially likely to capture secrets, personal data, proprietary prompts, or internal system details and retain them indefinitely in plain JSON.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The prompt optimization workflow explicitly appends context about user background, goals, and constraints while also retaining original prompts in effective/ineffective lists. That creates a strong mechanism for accumulating and replaying sensitive user information in human-readable form, which is particularly risky in a meta-optimizer intended to continuously refine future behavior from past inputs.

Ssd 3

Medium

Confidence: 96% confidence
Finding: `generate_examples` and `export_knowledge` can surface prior approaches, patterns, and insights directly from stored history, which may include sensitive or proprietary content from earlier users or tasks. In a learning system, replay/export functions convert passive retention into active disclosure, increasing the chance of cross-session data leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal