Back to skill

Security audit

Self-Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it gives the agent broad long-term memory and skill-changing behavior that can affect future sessions without enough user control.

Install only if you intentionally want an agent-wide persistent memory framework. Before enabling it, decide where memory files are stored, require explicit consent for L2/L3 writes and profile-like observations, review what gets injected into future sessions, and avoid granting skill-management or broad file-write access unless you are comfortable with durable changes to the agent's behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill metadata describes itself as universally applicable and activates on a very broad set of memory/self-improvement terms. That creates a real risk of unintended invocation in unrelated conversations, which can silently enable persistence, retrieval, or workflow changes outside user expectations.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger list includes common conversational words like '记住', 'memory', 'review', and 'optimize' that can appear in harmless requests. Because the skill also performs memory retrieval and persistence, broad keyword activation increases the chance of accidental collection or reuse of user data across sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These sections instruct the agent to store user preferences, work patterns, and profile-like information in mid- and long-term memory without an upfront disclosure or consent step. Persistent retention of behavioral and preference data is privacy-sensitive, especially when reused across future sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to 'immediately apply' corrective actions without waiting for user confirmation authorizes autonomous changes after an error. In environments with file, memory, or skill-management tools, this can cause unintended writes, modifications, or state changes that the user did not approve.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol instructs the agent to create and register a new skill after a simple confirmation prompt, but it does not clearly warn that this will modify persistent files or the agent's future behavior. In a self-improving agent context, silent persistence is risky because a user may approve extraction without realizing it writes durable artifacts that can later influence task execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to clean raw pattern data from L2 after extraction describes deletion of stored history without a user-facing warning, retention policy, or recovery path. This can cause silent loss of potentially important audit or debugging context, and in a memory-driven agent it may also erase evidence needed to review how an auto-generated skill was derived.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly directs retention of user preferences, work habits, and profile information in long-lived stores for future reuse. This creates a genuine cross-session privacy and data-minimization risk, because sensitive behavioral data may persist indefinitely and be reused outside the original context.

Ssd 3

Medium
Confidence
98% confidence
Finding
The mandatory pre-task retrieval flow and automatic injection of long-term memory into future tasks broadens access to prior user data regardless of necessity. This increases the chance of inappropriate context carryover, privacy leakage, and use of stale or sensitive memory in unrelated interactions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.