ClawHub

Self-Improving Meta

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because it can persistently steer or change agent prompts, hooks, memory, and skill files with inconsistent approval boundaries.

Install only if you intentionally want an agent to help maintain its own prompt, hook, memory, and skill infrastructure. Keep hooks project-scoped, avoid empty or global matchers, do not log secrets or raw command output, and require an explicit reviewed diff before any edit to shared prompt files, memory, hooks, rules, or skill definitions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document first forbids auto-modifying core prompt files without explicit approval, then elsewhere encourages direct application of fixes to the governed files. In a self-improving skill that targets agent infrastructure, this contradiction can normalize unauthorized edits to high-impact control files and weaken operator review gates.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill says important learnings should be promoted only after explicit human review, but later states broadly applicable fixes may be promoted directly to affected files. Because this skill governs infrastructure used by future sessions, that inconsistency creates a real risk of silent self-modification of trusted agent control surfaces.

Vague Triggers

Medium
Confidence
86% confidence
Finding
An empty hook matcher causes the activator to run on every user prompt, dramatically broadening the skill's automatic activation surface. For a meta-skill that can influence infrastructure and persistent learnings, this increases the chance of unnecessary prompting, noisy persistence, and unintended workflow manipulation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The advanced hook setup repeats the same empty matcher pattern, extending broad activation to additional events including PostToolUse. This can cause the skill to inspect or react to far more activity than necessary, increasing accidental logging and persistent meta-behavior changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The template tells authors to include trigger conditions but does not require them to be narrow, testable, or accompanied by exclusions. In a meta-skill that modifies shared agent infrastructure, vague triggers can cause skills to activate too broadly and unintentionally alter prompts, hooks, rules, or memory behavior across many sessions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The empty matcher causes the UserPromptSubmit hook to fire on every prompt, greatly expanding the hook’s activation scope. In a self-improving infrastructure skill, this increases the chance of unnecessary prompt interception, context pollution, and unreviewed persistence of meta-behavior across normal workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root (activator-only recommended):

```json
{
Confidence
87% confidence
Finding
Create `.claude/settings.json` in your project root (activator-only recommended): ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ {

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal