AI Self-Evolution Engine( AI 自我进化引擎）

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed book-analysis tool that saves a local mental-model library and can optionally sync records to Feishu or Notion when configured.

Install if you want a durable local reading and mental-model memory. Keep Feishu/Notion export disabled for confidential material, prefer environment variables for tokens, review generated files under memory/knowledge-base and memory/reading-history.json, and avoid putting sensitive employer, project, or personal details in USER.md unless you want them used in outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The README advertises optional Feishu/Notion uploads even though the skill is primarily presented as a local extraction and storage tool. Expanding a local knowledge-processing skill to transmit content to external SaaS increases data exposure risk, especially if users assume the skill is local-only and provide sensitive notes, prompts, or derived content.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Introducing Feishu/Notion token-based upload capability creates a real exfiltration surface that is broader than the stated purpose of building a local mental-model library. If enabled, extracted content and possibly user context could be sent to third-party platforms, which is dangerous when the skill encourages persistent accumulation of cross-session knowledge.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The file adds a `book-scout` web-search fallback when no user-specified or queued book exists, introducing external network-driven behavior that is not obvious from the core local knowledge-forging workflow. This expands the skill's attack surface by allowing untrusted remote content to influence selection and downstream processing, creating a capability-disclosure and trust-boundary issue.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: For a skill described primarily as extracting mental models and writing local pattern files, automatically reaching out to a web-search skill is a meaningful capability expansion not strictly required for core operation. If exploited or abused, remote search results could steer the system toward adversarial, low-quality, or prompt-injecting sources that contaminate the generated knowledge base.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill silently creates and updates persistent workspace files on each run, including knowledge-base entries and reading history, without an explicit user-facing consent step. This can lead to unintended data persistence, overwrite/append side effects, and surprise modification of a user's local workspace, especially when runs are triggered automatically.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow sends analysis records to Feishu or Notion without a clear privacy notice that generated content may include user-tailored material derived from USER.md. Users may reasonably believe the skill operates locally, yet their reading activity, analysis output, and personalized prompts could be transmitted to third-party services.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The logic says the first queued item is removed from `memory/reading-history.json`, which is a persistent state mutation, but no user warning or consent language is provided nearby. This can surprise users and undermine auditability because simply running the skill changes long-lived memory rather than only producing an analysis result.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The section instructs the AI to append user-requested books into `reading-history.json`, creating persistent storage of user-provided content without an explicit retention notice or consent mechanism. While low severity, this is still a real transparency and data-handling issue because users may not expect durable memory writes from a conversational request.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs reading personal details from USER.md and weaving them into generated output in plain language. Because these details include profession, projects, company names, and current challenges, the skill increases the risk of sensitive information disclosure in responses, logs, shared transcripts, or downstream integrations.

Ssd 3

High

Confidence: 99% confidence
Finding: This is the most serious issue: the skill can export extracted analysis and user-tailored fields to external services based on local configuration, creating an outbound data exfiltration path for personalized content. In context, the exported fields can include strategic questions and application scenarios derived from USER.md, so the danger is materially higher than a generic book-summary sync.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal