Self Improving Agent.Tmp

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly harmful, but it asks agents to create persistent memory, use broad hooks, and move session knowledge without enough privacy controls.

Install only if you intentionally want persistent self-improvement memory. Prefer project-local setup over global hooks, keep hooks disabled unless needed, require explicit approval before promoting anything into instruction or memory files, and never log secrets, tokens, personal data, raw transcripts, or confidential business context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill's declared purpose is narrow, but the content introduces additional capabilities such as hook-triggered automation, cross-session coordination, and skill extraction. This matters because operators may trust and enable it as a harmless note-taking utility while actually granting it broader persistence and automation behavior than advertised.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill documents use of session history, message passing, and sub-agent spawning, which extends its reach beyond local self-improvement logging into cross-session data movement. In this context, that increases the chance that sensitive conversation content or derived learnings are disclosed to other sessions or agents without clear need or consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The hook setup causes automatic command execution on prompt submission and after Bash tool use, which is substantially more powerful than passive learning capture. Automatic hooks can broaden the blast radius of mistakes, create unreviewed side effects, and normalize execution of local scripts in response to routine interaction events.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Automated skill extraction writes new reusable artifacts to disk based on prior learnings, which is a separate content-generation capability from simple note logging. If the logged material contains bad guidance, sensitive data, or adversarial content, this feature can amplify and operationalize it into new prompts or skills.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims the hook scripts 'only output text' and 'do not run commands,' but the configuration explicitly executes shell scripts via command hooks. This mismatch can mislead users into granting undue trust to code that runs in their environment with the agent's permissions, increasing the risk of unsafe installation and execution.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation criteria are extremely broad and cover many normal failures, corrections, and discoveries. In practice this can cause over-triggering, excessive logging, and increased collection of conversational and operational data beyond what is necessary.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The detection triggers rely on common phrases like corrections or feature wishes that appear frequently in ordinary conversation, without guardrails or context checks. That can lead to inadvertent capture of routine user dialogue into persistent files, increasing privacy and data retention risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The templates instruct the agent to record full context, raw errors, inputs, parameters, and user needs, but do not warn against including credentials, secrets, personal data, or proprietary information. Persistent markdown logs are easy to copy, commit, sync, or inspect later, turning transient sensitive data into durable exposure.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: An empty matcher causes the UserPromptSubmit hook to fire on every prompt, creating broad, automatic execution of the configured shell script. In a self-improvement skill, this increases exposure because the hook runs continuously across normal workflows, making misuse, prompt-triggered persistence, or accidental data capture more likely.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The user-level configuration enables global automatic activation from the home directory, so the hook can execute across all projects and sessions without meaningful trigger constraints. This broadens blast radius substantially: any issue in the script, path hijack, or unintended behavior affects the entire user environment rather than a single repository.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Although labeled 'minimal,' this setup still uses an empty matcher, so it remains active for every prompt rather than only relevant error or learning scenarios. That makes the example deceptively broad and encourages users to deploy always-on command execution under the guise of a lower-overhead configuration.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Codex CLI example also uses an empty matcher, which effectively enables command execution on every prompt in that environment. Repeating this pattern across tools normalizes unsafe defaults and increases the chance that users propagate broad hook execution into multiple agent platforms.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger example uses very common conversational phrasing like user corrections, which can cause the self-improvement workflow to activate during ordinary dialogue rather than only on clearly defined failure conditions. In a system that persists learnings or promotes them into injected workspace context, over-triggering can pollute memory and create an avenue for indirect prompt-injection persistence.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The 'Knowledge gaps' trigger is ambiguous and lacks operational boundaries, leaving the agent to decide subjectively when to record or promote information. Ambiguous persistence triggers increase the risk of storing untrusted or low-quality content that may later be reinjected into future sessions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill encourages persistent logging of learnings and promotion of them into broader memory files, which can preserve user-provided details far beyond the original interaction. In a self-improvement context, this is especially risky because the captured content is natural language and may include secrets, private business context, or security-relevant operational details.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The learning template explicitly asks for full context, which strongly encourages verbatim retention of conversational and task details. That creates a natural-language leakage channel where confidential information is stored in plaintext and may later be reused or shared outside its original scope.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The error and feature-request templates direct capture of actual error output, input parameters, and user context, all of which commonly contain tokens, file paths, internal hostnames, or business-sensitive requests. Persisting these verbatim in markdown materially increases disclosure risk if the files are later shared, indexed, or committed.

Ssd 3

High

Confidence: 97% confidence
Finding: Reading other session transcripts and sending learnings across sessions extends disclosure beyond the original user interaction boundary. Even if intended for productivity, this creates a direct semantic path for sensitive conversation details to propagate to other agents or contexts that were not originally authorized to receive them.

Session Persistence

Medium

Category: Rogue Agent
Content: └── FEATURE_REQUESTS.md ``` ### Create Learning Files ```bash mkdir -p ~/.openclaw/workspace/.learnings
Confidence: 84% confidence
Finding: Create Learning Files ```bash mkdir -p ~/.openclaw

Session Persistence

Medium

Category: Rogue Agent
Content: openclaw hooks enable self-improvement ``` ### 3. Create Learning Files Create the `.learnings/` directory in your workspace:
Confidence: 84% confidence
Finding: Create Learning Files Create the `.learnings/` directory in your workspace: ```bash mkdir -p ~/.openclaw/workspace/.learnings ``` Or in the skill directory: ```bash mkdir -p ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal