Back to skill

Security audit

Self-Improving Support

Security checks across malware telemetry and agentic risk

Overview

This support-logging skill is not malicious, but it asks users to enable broad hooks and persistent agent-behavior changes that deserve careful review before installation.

Install only in a dedicated support workspace. Prefer project-level setup, replace empty hook matchers with support-specific patterns, keep PostToolUse disabled unless you really need command-output detection, and require human review before editing SOUL.md, AGENTS.md, TOOLS.md, or enabling any generated skills. Do not store customer PII, credentials, raw ticket text, or regulated data in .learnings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares itself as a support-logging workflow, but the documented setup includes cloning from a remote Git repository and enabling hooks that invoke external scripts. Even if the network activity occurs during installation rather than normal runtime, this is still a meaningful capability that should be explicitly declared because it expands trust boundaries and can introduce unreviewed code into the agent environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description says it captures support learnings, but the actual documented behavior is much broader: always-on prompt hooks, post-tool output inspection, and generation of new skill scaffolds on disk. That mismatch is dangerous because users may grant trust appropriate for simple logging while the skill silently gains surveillance and persistence capabilities far beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This section expands the skill from local support-note logging into modifying broader agent guidance targets such as SOUL.md, AGENTS.md, and TOOLS.md. Altering these higher-precedence instruction files can change future agent behavior persistently, which is a significant scope increase compared with the declared logging function.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The hook documentation adds automated inspection of Bash tool output, which means the skill can monitor command results unrelated to support tickets. That broadens data access and creates a prompt-injection surface where arbitrary tool output can trigger logging or other actions not clearly bounded to the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic skill extraction allows this support-logging skill to create new reusable skills on disk, effectively turning observations into executable/persistent agent capabilities. That is an unjustified escalation because it converts passive documentation into active self-extension, increasing the risk of propagating mistakes, prompt injections, or unsafe patterns across sessions.

Vague Triggers

High
Confidence
97% confidence
Finding
An empty matcher on UserPromptSubmit causes the hook to run for every user prompt, regardless of whether the conversation concerns support issues. This is dangerous because it creates pervasive automatic activation, increases the chance of irrelevant data capture, and enlarges the attack surface for prompt-triggered behavior on unrelated tasks.

Vague Triggers

High
Confidence
98% confidence
Finding
The advanced hook example repeats the same empty matcher problem while also pairing it with PostToolUse logic, making the skill trigger on all prompts and then inspect subsequent Bash activity. This combination creates broad ambient monitoring and materially increases the chance of collecting unrelated context or being influenced by adversarial content in normal tool output.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The empty matcher causes the UserPromptSubmit hook to run on every prompt, not just support-related interactions. Because the hook injects additional context automatically into all sessions, it broadens the collection and influence scope beyond the stated support-improvement use case and can expose unrelated or sensitive prompts to the hook pipeline.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The user-level configuration enables the hook globally across sessions, which means the support-improvement behavior can activate in unrelated projects and contexts. In combination with broad matching, this creates persistent, ambiguous scope that can affect sensitive workflows outside support operations.

Vague Triggers

Low
Confidence
84% confidence
Finding
The verification step explicitly tells users to confirm activation on 'any prompt,' reinforcing that the hook is intentionally overbroad. This increases the chance that the hook will run in contexts containing unrelated secrets, personal data, or internal material, even if the script itself only emits text.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
84% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.