Security audit

Self-Improving Marketing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed marketing-notes skill with optional local reminders, but users should narrow the hook examples before enabling them.

Use this in marketing workspaces where persistent campaign learnings are useful. Keep hooks project-level, replace empty matchers with marketing-specific terms, avoid user-level global activation unless you want reminders in every session, and enable PostToolUse only if local scripts may inspect command output. Do not store secrets, customer PII, ad account credentials, or sensitive revenue details in the learning files, and review any generated skill before trusting it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The stated purpose is passive marketing learning capture, but the file also instructs users to install hooks, inspect tool output, modify agent bootstrap behavior, and scaffold new skills. That mismatch is dangerous because operators may grant trust or broad execution privileges based on an understated description, enabling behavior beyond expected scope.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill goes beyond simple logging by directing execution of helper scripts and hook-based automation. This expands the attack surface from note-taking into code execution and event-triggered behavior, which can be abused or misapplied if users think they are enabling only harmless documentation features.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: Automatic skill extraction creates new reusable artifacts on disk, which is materially different from logging marketing learnings. Generating new skills can propagate unsafe patterns, create persistence, and cause privilege creep if the derived artifacts are later trusted or auto-loaded.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The file claims ownership is restricted to `.learnings/marketing/` in stackable mode, but earlier guidance instructs updates to `TOOLS.md` and `AGENTS.md`. This inconsistency is dangerous because it obscures actual write scope and can lead users to approve a skill believing it is sandboxed when it may influence broader agent behavior.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: An empty hook matcher causes activation on every user prompt, creating broad unsolicited execution and prompt injection opportunities. This can leak context into helper scripts, increase persistence, and make the skill effectively always-on rather than marketing-specific.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The advanced setup repeats the same overly broad empty matcher, so the risk remains even when additional post-tool hooks are enabled. In practice this broadens passive monitoring from targeted marketing detection to all prompts, amplifying unintended data exposure and unnecessary trigger frequency.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The empty matcher causes the hook to run on every prompt, which broadens the scope of automatic command execution far beyond marketing-related use cases. Because the hook launches a local script on each submission, it increases exposure to unintended data access, prompt-context contamination, and unnecessary execution of agent-side code.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The user-level configuration recommends global activation, which makes the hook persist across all repositories and tasks instead of only relevant marketing contexts. This expands the blast radius if the script behaves unexpectedly, leaks context, or is later modified, since it will execute in unrelated sessions automatically.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Although presented as a lower-overhead option, the minimal setup still triggers on every prompt due to the empty matcher. That means reduced complexity but not reduced scope, so the script still executes universally and can influence all agent interactions rather than only marketing-related ones.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The Codex configuration mirrors the same all-prompts trigger pattern, extending the overbroad activation issue to another agent platform. Cross-platform documentation of unconstrained hooks increases the likelihood of users adopting unsafe defaults widely.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger table describes broad conditions like CTR drops, audience shifts, and brand violations without defining thresholds, scope, source validation, or negative examples. In an event-driven, prompt-injecting environment, this can cause over-triggering and persistence of noisy or attacker-influenced data into workspace files, increasing the chance of unintended agent behavior across sessions.

Session Persistence

Medium

Category: Rogue Agent
Content: └── FEATURE_REQUESTS.md ``` ### Create Learning Files ```bash mkdir -p ~/.openclaw/workspace/.learnings
Confidence: 72% confidence
Finding: Create Learning Files ```bash mkdir -p ~/.openclaw

Session Persistence

Medium

Category: Rogue Agent
Content: ### Option 1: Project-Level Configuration Create `.claude/settings.json` in your project root: ```json {
Confidence: 81% confidence
Finding: Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.