root

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement memory skill, but its package identity mismatch and persistent agent-behavior changes need Review before installation.

Install only if you want a local, persistent memory system that can change how the agent behaves in later sessions. Verify the publisher and package identity mismatch first, review proposed edits to AGENTS.md, SOUL.md, and HEARTBEAT.md, decline the optional Proactivity install until reviewed separately, and avoid storing sensitive information in the memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documented commands turn a self-improvement skill into a general-purpose persistent memory manager that can search, display, export, and delete stored user data across tiers. This broadens data handling far beyond the stated scope and creates privacy and consent risks, especially because users may not realize the skill is retaining and exposing long-term memory.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The weekly maintenance workflow performs autonomous scanning, moving, archiving, compaction, and index updates on stored user data, which exceeds a narrow self-improvement function. Automatic background modification of retained data increases the chance of silent retention, unexpected data movement, and loss of user control over what is stored and where.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to automatically log user corrections and preferences into persistent local files, but it does not require an explicit user warning or consent step before storing potentially sensitive statements. Even with a stated boundary against storing credentials and health data, users may disclose sensitive information in corrections or preferences, leading to unintended long-term retention.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger phrase "forget everything" is generic enough that it could plausibly appear in normal conversation, quoted text, or user examples, causing accidental activation of destructive memory operations. In a self-improving/proactive agent that persists learned state, an unintended wipe can disrupt behavior, destroy user-approved context, and be abused by prompt-injection or indirect input channels to trigger data deletion.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The kill-switch procedure exports current memory to a file before wiping it, but the boundary document does not require user consent, secure destination handling, or disclosure that data will be written to disk. For a memory-bearing agent, this creates a confidentiality risk because supposedly deleted data may persist in an export artifact, backup system, or shared filesystem, undermining the user's expectation of deletion.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to log corrections, classify them, and write them into persistent namespaces such as global, domain, and project scopes, but it provides no user-facing notice, consent step, retention policy, or review/delete mechanism. Even though the content tries to avoid obviously sensitive learning, it still creates persistent behavioral profiles and project/person-specific preference records, which can expose user data, surprise users, and lead to privacy violations or cross-context leakage.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The template instructs the agent to create persistent files under `~/self-improving` without any user warning, consent gate, or data minimization guidance. In the context of a self-improving/proactive agent, this is a real safety issue because it encourages silent long-term storage of user-related preferences, corrections, and activity state on the host filesystem.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The condition 'If project detected → preload relevant namespace' is ambiguous and can trigger memory loading without clear user intent or a well-defined project boundary. In a memory-bearing skill, ambiguous automatic activation is dangerous because it can cause unnecessary access to stored context and increase the risk of cross-project data leakage or overcollection.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The correction-handling flow writes new information into persistent files and updates indexes automatically, but the skill description does not clearly warn users that their inputs may be stored long-term. Silent automatic writes are risky because users may provide sensitive preferences, project details, or corrections without informed consent, assuming they are ephemeral.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The scheduled maintenance section describes automatic modification and archival of stored data, but there is no corresponding warning that user data may be reorganized, compacted, or moved across retention tiers. This lack of transparency undermines informed consent and can lead to unexpected persistence, hidden retention, or difficulty locating and deleting stored information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guidance explicitly recommends 'Aggressive learning, minimal confirmation' for power users, which can cause the agent to persist or act on inferred preferences without clear user approval. In a self-improving memory skill, this is more dangerous because learned data may affect future behavior across sessions, leading to unintended preference capture, incorrect memory writes, or privacy-impacting retention.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup directs the agent to create persistent files and directories under the user's home directory (`~/self-improving/...`) without an explicit consent checkpoint or a clear warning that local filesystem state will be modified. Because this is an agent skill intended to be followed operationally, it can cause unexpected persistence of data, unintended storage of sensitive information, and workspace contamination if applied automatically or in the wrong context.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill is designed to persist user-provided statements and preferences across interactions, which creates a semantic retention risk even if the feature is framed as helpful memory. Stored preferences and corrections can reveal habits, project details, or personal patterns over time, especially because logging is described as automatic rather than strictly consent-based.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill supports broad querying, listing, and export of accumulated memory, which increases the chance that stored user-derived data will be exposed in bulk. Export and broad recall features amplify the effect of any over-collection or misclassification of sensitive content because a single action can disclose the full retained history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal