Self-Improving Coding Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed coding-learning helper that writes local notes and offers optional reminder hooks, with some scoping cautions but no artifact-backed malicious behavior.

Reasonable to install for coding workflows. Keep .learnings local if it may contain proprietary code context, avoid logging secrets or full stack traces, prefer project-level hooks with a narrow matcher, and review any proposed edits to lint configs, AGENTS.md, CLAUDE.md, TOOLS.md, or generated skills before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a passive logging aid, but the instructions expand into hook-based automatic execution, tool-output scanning, virtual prompt injection, and even scaffolding new skills. That mismatch is dangerous because users or agents may grant it broader trust than warranted, enabling persistent automation and behavior changes under a benign-sounding description.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documentation goes beyond recording learnings and instructs modification of broader project guidance and configuration artifacts such as style guides, lint configs, AGENTS.md, and TOOLS.md. This widens the skill's authority from note-taking to changing developer and agent behavior across the workspace, which can create prompt-persistence and configuration-integrity risks.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The hook configuration and helper scripts introduce automatic command execution on prompt submission and after tool use, which is a meaningful expansion from a logging skill. Automatic shell execution increases attack surface because trigger frequency is high, scope is broad, and users may not realize the skill now participates in every session event.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document states the scripts 'only output text' and 'do not run commands,' but the configured hook type is explicitly 'command' and executes shell scripts. This can mislead users into underestimating the trust and privilege boundary, causing them to install auto-executed code with the agent's permissions and weaker scrutiny.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: An empty matcher causes the hook to fire for every user prompt, giving this skill broad and persistent influence over sessions regardless of whether coding-learning behavior is relevant. Overly broad automatic activation is risky because it amplifies any downstream script behavior, prompt injection, or logging mistake across all interactions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The advanced setup repeats the same broad empty-matcher pattern, now for multiple lifecycle hooks including PostToolUse. This compounds risk by letting the skill automatically inspect and react to many events, increasing the chance of unintended persistence, noisy interception, or abuse through crafted tool output.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Using an empty matcher causes the hook to run on every prompt, greatly expanding the trigger surface and increasing the chance that sensitive or irrelevant contexts are processed by the script. In a self-improving coding skill, this broad activation makes accidental capture, prompt contamination, and unnecessary execution more likely than a narrowly scoped coding-only trigger.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The global user-level example combines an empty matcher with persistent installation, causing the hook to run for all prompts across projects and sessions. That broad scope increases exposure to sensitive prompts and makes unintended execution much more dangerous than a project-local, purpose-limited configuration.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Although labeled 'minimal,' this setup still runs on every prompt because the matcher is empty. Reducing the number of hooks does not mitigate the core issue of overbroad activation, so the script may still process unrelated prompts and execute unnecessarily.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The Codex example also uses an empty matcher, effectively enabling execution for every prompt without clear boundaries. Because this is presented as copy-paste configuration, users may deploy always-on hooks unintentionally, increasing privacy and execution risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document explicitly recommends cross-session sharing via `sessions_send` and `sessions_spawn` but does not warn that code, stack traces, bug patterns, or proprietary implementation details may be disclosed to other sessions or agents. In a skill focused on capturing debugging and coding learnings, this increases the chance that sensitive source code or internal defects are propagated beyond the originating context without user awareness.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Option 1: Project-Level Configuration Create `.claude/settings.json` in your project root: ```json {
Confidence: 86% confidence
Finding: Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal