Back to skill

Security audit

Self-Improving Conversation

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can persist conversation snippets and broadly influence future agent behavior, so users should review its scope before installing.

Install only if you want persistent conversation-learning behavior. Keep hooks project-scoped with narrow matchers, avoid user-level global activation, prefer redacted summaries over raw excerpts, do not store secrets or private user/customer data, and require human review before promoting logs into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, Copilot instructions, or generated skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a simple conversation-learning logger, but the documented behavior extends into session-wide hook injection, automatic prompt-triggered reminders, tool-output scanning, and skill scaffolding. This mismatch is dangerous because operators may enable it with a much broader trust boundary than intended, causing unexpected persistence, monitoring, and modification behavior across sessions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill expands from logging learnings into modifying broader agent instruction files and promoting content into persistent memory surfaces. That broadens its authority from note-taking to behavioral reprogramming of agents, which can alter future model behavior and create an instruction-persistence channel beyond the user's immediate intent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Automatic hook configuration is materially different from passive conversation logging because it creates recurring triggers on future prompts and tool events. This makes the skill more dangerous in context: once installed, it can influence many later interactions without per-use consent, increasing the blast radius of bad logic or misuse.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Extracting and scaffolding new skills from logged learnings goes far beyond the stated purpose of recording dialogue issues. This is risky because it turns unreviewed conversational artifacts into executable or reusable agent capabilities, potentially propagating unsafe instructions or prompt-injection content into new skills.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document claims constrained writes in stackable mode, yet earlier sections authorize writes to multiple non-namespaced instruction and memory files. This inconsistency is dangerous because defenders may rely on the narrower claim while the skill's documented workflow still enables broader persistence and modification of agent behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
An empty hook matcher causes activation on every user prompt, which is overly broad for a skill meant to respond to specific conversation-quality signals. This can create pervasive monitoring, unnecessary prompt augmentation, accidental data capture, and easier abuse as a general-purpose persistence mechanism.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages storing conversation excerpts and issue logs locally without a clear, upfront consent and retention warning, even though dialogue content can easily contain personal, confidential, or regulated data. In context, this is especially risky because the skill is explicitly triggered by emotionally charged or failed conversations, which often include sensitive details users did not intend to be persisted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook injects instructions to persist conversation-derived learnings, including frustration, confusion, escalation requests, hallucinations, and dialogue excerpts, into workspace files without any consent, notice, or data-minimization controls. This creates a privacy and data-retention risk because user-provided content may be stored beyond the active session and later exposed to other tools, agents, or operators with workspace access.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Using an empty matcher on UserPromptSubmit causes the hook to run on every prompt, regardless of whether the conversation involves self-improvement scenarios. Because the hook injects additional context automatically, this broad trigger increases prompt-surface area, risks unnecessary exposure of sensitive conversational context to the hook logic, and can create persistent behavior changes across all sessions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The user-level configuration enables the hook globally for all prompts across projects, making the behavior persistent and difficult to constrain. In a skill that captures dialogue learnings and reviews conversation quality, global activation increases the chance of over-collection, accidental processing of sensitive conversations, and unintended cross-context influence.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Codex example repeats the same empty-matcher pattern, so the hook will trigger for every prompt in that environment as well. Broad automatic activation is especially risky for conversation-analysis skills because they can continuously inject guidance or collect learnings from unrelated workflows.

Ssd 3

Medium
Confidence
93% confidence
Finding
The reminder explicitly tells the agent to capture dialogue excerpts and operational conversation metadata into persistent '.learnings' files. In this skill's context, that is more dangerous because the feature is specifically designed for self-improvement across conversations, increasing the likelihood of accumulating sensitive user inputs, support requests, or other personal data in long-lived storage without strong safeguards.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
82% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
88% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.