ClawHub
Back to skill

Security audit

Self-Improving Operations

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed operations-learning helper that writes local notes and optional reminders; it has broad opt-in hooks users should scope carefully, but the artifacts do not show hidden data theft, destructive behavior, or automatic remediation.

Install if you want local operational-learning logs and reminder hooks. Prefer project-level setup, use narrowed matchers instead of always-on hooks where possible, avoid global activation unless you really want cross-project reminders, and do not record secrets, raw customer data, hostnames, internal IPs, or unredacted command output. Treat the automated remediation examples as design notes only; production actions need explicit approval gates, allowlists, rollback plans, and audit logging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill declares itself as a logging/workflow aid, but it includes installation and integration paths that pull content from a remote repository and enable hook scripts, which introduces effective network capability without an explicit permissions declaration. Hidden or undeclared network-dependent behavior weakens trust boundaries and can lead users to install or execute remote code they did not expect from the manifest.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is operational learning capture, but the skill also instructs broad session hook injection, command-output scanning, and skill generation. That mismatch is dangerous because users may authorize a seemingly narrow logging skill while it gains broader influence over prompts, tool outputs, and filesystem state than expected.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Instructing users to modify AGENTS.md, CLAUDE.md, or other workspace control files expands the skill's reach beyond local note-taking into persistent agent behavior shaping. This creates a supply-chain style risk where a logging skill can alter future agent decisions across unrelated tasks.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Automatic skill extraction/generation exceeds the stated scope of capturing operations learnings and enables the skill to create new reusable artifacts on disk. That broadens the blast radius from passive logging to code/content generation, which can propagate unsafe patterns or create unauthorized capabilities.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
A documented ability to extract new skills is not necessary for an operations learning logger and materially increases privilege and persistence. Unjustified feature expansion is dangerous because it normalizes turning operational observations into executable or instructional artifacts without adequate security review.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill warns against logging secrets and sensitive infrastructure data, but later examples encourage recording commands, root-cause details, dashboards, and infrastructure-specific remediation steps. In operations contexts, those artifacts often contain hostnames, service topology, internal paths, or sensitive tokens, so the mixed guidance can lead to inadvertent disclosure in persistent files.

Vague Triggers

Medium
Confidence
94% confidence
Finding
An empty UserPromptSubmit matcher causes the hook to run on every prompt, regardless of whether the user is doing operations work. Overly broad activation increases prompt-surface exposure, causes unnecessary persistence and monitoring, and can interfere with unrelated tasks.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The advanced setup again uses an empty matcher and additionally attaches PostToolUse behavior to Bash, enabling broad inspection of command activity. This is risky because it effectively monitors all shell interactions in the workspace and may capture sensitive output unrelated to the skill's purpose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example feature request promotes alert-triggered automated runbook execution, including actions like restarting services, clearing caches, and scaling replicas, but it does not include an explicit warning, approval boundary, or human-in-the-loop safeguard for potentially disruptive actions. In an operations-improvement skill, this can normalize unsafe automation patterns and lead downstream implementers to build remediation workflows that act on noisy alerts or incorrect incident classification, causing outages or amplifying incidents.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The empty matcher makes the UserPromptSubmit hook fire on every prompt, creating an always-on interception point for all user interactions. In a skill that injects reminders into agent context, this broad trigger increases exposure of sensitive prompt content and expands the blast radius if the hooked script is modified, replaced, or behaves unexpectedly.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The user-level configuration recommends global activation, which causes the hook to run across all repositories and sessions without meaningful scope constraints. This creates persistent cross-project monitoring behavior and increases the chance of collecting unrelated or sensitive prompt data outside the intended operational-improvement use case.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
73% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.