Security audit

Self-Improving Analytics

Security checks across malware telemetry and agentic risk

Overview

The skill is an analytics learning logger, but its optional hooks and promotion workflows can persistently affect agent behavior and inspect broad command output unless carefully scoped.

Install only if you want persistent analytics learning logs and agent reminders. Prefer project-local setup, replace empty hook matchers with analytics-specific filters, avoid global user-level hooks, leave Bash output detection disabled unless needed, and review any changes to AGENTS.md, CLAUDE.md, TOOLS.md, or generated skills before trusting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The description presents the skill as a passive analytics logging aid, but the body also instructs broad hook-based activation, Bash output inspection, and skill extraction/scaffolding workflows. This mismatch is dangerous because operators may trust and enable the skill without realizing it can inject itself into session flow and monitor tool output more broadly than advertised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation recommends a user-level hook configuration that activates on every prompt, expanding the skill's influence far beyond the stated analytics-incident use cases. This creates broad prompt-surface injection and persistent behavioral modification across unrelated tasks, which is risky even if the injected content is nominally benign.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The security section states the scripts 'only output text' and 'don't modify files or run commands,' but the setup explicitly installs them as command hooks executed by the agent environment. That mismatch can mislead users into underestimating execution risk, since any command hook runs with agent privileges and could be changed later or behave unexpectedly.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The hook matcher is empty, so the reminder hook will fire on every user prompt instead of only analytics-related contexts. Overly broad automatic activation increases prompt-surface exposure, causes unnecessary persistence, and can leak unrelated workflow content into this skill's processing path.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The second hook example again uses an empty matcher, and additionally attaches a `PostToolUse` Bash hook that can inspect all Bash tool output. This broad interception can capture unrelated command output, increasing the chance of sensitive data exposure and unintended monitoring across the entire session.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: An empty matcher causes the hook to fire on every user prompt, not just analytics-related incidents. This broadens the attack and influence surface, introduces persistent unsolicited context injection, and can affect agent behavior during unrelated coding, security, or operational tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.