Self-Improving Human-Resources

Security checks across malware telemetry and agentic risk

Overview

This HR logging skill is not clearly malicious, but it needs review because it handles sensitive HR context while recommending broad always-on hooks and persistent workflow changes.

Install only if you intentionally want persistent HR process logging. Keep .learnings local and out of version control, do not store PII or confidential employee details, use project-local hooks with HR-specific matchers, avoid the Bash output detector unless necessary, and manually review any proposed policy, AGENTS.md, or generated-skill changes before accepting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The skill is described as logging learnings, but it also instructs promotion into broader policy documents, calendars, checklists, and agent control files. That expands the trust boundary from passive note capture to modification of operational governance artifacts, which can quietly influence future workflows and decisions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill includes logic for extracting or generating new reusable skills, which is outside the stated HR logging purpose. Self-replication or scaffold generation increases the blast radius of mistakes and could be abused to spread unsafe instructions into additional skill files under the workspace.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documentation expands a narrowly described HR-improvement skill into broad, always-on monitoring by wiring it to every prompt submission and Bash tool output. Even if intended for reminders, this creates unnecessary access to potentially sensitive user inputs and command output, increasing data exposure and function creep beyond the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Installing a PostToolUse Bash inspection hook gives the skill visibility into command output that may contain secrets, PII, internal paths, or unrelated business data, while the HR-improvement use case does not clearly require such broad inspection. This mismatch between capability and purpose makes over-collection and accidental disclosure more likely.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The security section is materially misleading: it says scripts 'don't modify files or run commands' while the setup explicitly configures command hooks that execute shell scripts. Misrepresenting execution behavior can cause users to trust and install automation with more privilege and runtime capability than they understand, which is dangerous for any hook-based system.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: An empty hook matcher causes the activator script to run on every user prompt, regardless of whether the session involves HR tasks. This broad interception increases unnecessary exposure of session context, raises prompt-injection surface area, and can create persistent monitoring behavior that users did not intend.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The advanced hook configuration again uses an empty matcher, and in this case also attaches to PostToolUse for Bash, enabling broad automated inspection of command activity. In an HR setting, this is especially risky because unrelated shell output may contain sensitive operational or personnel-adjacent data that the skill was never meant to inspect.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: An empty matcher on UserPromptSubmit causes the hook to fire on every prompt, regardless of whether the interaction is HR-related. This broad trigger unnecessarily exposes all user prompts to the skill's activation logic and undermines least-privilege and data-minimization principles.

Vague Triggers

High

Confidence: 98% confidence
Finding: The user-level configuration recommends globally enabling an empty-match hook, causing the skill to activate for all prompts across all projects and sessions. This persistence and breadth substantially increase the chance of capturing unrelated sensitive data and normalize an over-privileged monitoring pattern.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The Codex setup repeats the same overbroad empty-matcher pattern, extending the risk to another agent environment. This broadens the blast radius and makes indiscriminate activation a default cross-tool behavior rather than a narrowly scoped exception.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal