Auto Improvement

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is purpose-aligned, but it asks agents to persist and share conversation-derived learnings with weak scoping and sanitization controls.

Install only if you want durable agent memory for errors, corrections, and workflow learnings. Before enabling hooks, inspect the scripts and prefer project-level, narrowly matched hooks over global every-prompt activation. Do not store secrets, credentials, personal data, customer content, raw transcripts, or sensitive command output in .learnings or promoted instruction files; sanitize entries and review them before sharing across sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document states the hook scripts only output text and do not run commands, but the examples configure them as command hooks and also document directly executing another script. This mismatch can mislead users into underestimating the trust and execution risk of these scripts, causing them to enable automatic code execution in their agent environment without appropriate review.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: An empty matcher on UserPromptSubmit causes the hook to fire for every prompt, creating a very broad automatic trigger. In this skill context, that means a script is executed on every interaction, increasing attack surface, enabling prompt-wide persistence, and making accidental or malicious behavior harder to contain.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The user-level configuration enables the hook globally across sessions with no meaningful trigger constraint. That broad persistence makes the behavior more dangerous because it follows the user into unrelated repositories and contexts, potentially exposing sensitive prompts and normalizing automatic execution of local scripts everywhere.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Although labeled minimal setup, the example still uses an unconstrained matcher that activates on every prompt. Reducing the number of hooks lowers overhead but does not address the core security issue of unconditional automatic execution and persistent prompt interception.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The Codex setup repeats the same empty-matcher pattern, causing the hook to execute on every prompt in that environment as well. Duplicating the insecure pattern across tooling increases the likelihood of widespread deployment and persistent unintended behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document instructs users to copy and enable a custom hook, which implicitly causes OpenClaw to execute hook code from the installed directory. Even if intended as normal setup guidance, omitting an explicit warning or trust boundary makes it easier for users to enable unreviewed code execution in a highly privileged agent environment.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to persist corrections, errors, requests, and broader session learnings into long-lived markdown files and to promote them into shared memory/context files. That creates a real risk of storing sensitive user data, secrets, internal paths, or proprietary workflow details in durable locations that may later be surfaced to other sessions or users.

Ssd 3

High

Confidence: 97% confidence
Finding: The inter-session communication guidance encourages viewing other session transcripts and sending learnings between sessions without any confidentiality, need-to-know, or sanitization controls. This can disclose sensitive content across session boundaries and turn one session's private context into another session's prompt material.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The templates ask for full context, inputs/parameters, environment details, and user context, which strongly encourages copying potentially sensitive material into persistent logs. In practice, command inputs, error output, and user context often contain secrets, file paths, identifiers, or confidential business information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal