Self Improving Agent 1.0.11

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it asks agents to store and reuse conversation-derived information broadly without enough safeguards for sensitive data.

Install only if you want persistent self-improvement memory. Keep hooks project-scoped where possible, inspect scripts before enabling them, avoid global always-on hooks for sensitive work, and do not store secrets, tokens, private transcripts, customer data, raw command outputs, or sensitive user details in .learnings or promoted instruction files unless reviewed and redacted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document claims the hook scripts 'only output text' and 'don't modify files or run commands,' but the configuration explicitly executes shell scripts via command hooks. This mismatch can mislead users into granting trust to code that runs with the agent's privileges, reducing scrutiny and increasing the chance of unsafe deployment.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: An empty hook matcher causes the reminder hook to run for every prompt, regardless of context. In a skill that encourages persistent logging, broad activation increases the chance of collecting sensitive user content or repeatedly injecting behavior into unrelated tasks, expanding the privacy and prompt-scope risk surface.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The second empty matcher broadens hook execution across all matching events, including post-tool contexts. Because this skill is designed to inspect failures and persist context, unrestricted triggering can capture command inputs, outputs, and surrounding context from unrelated or sensitive workflows.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An empty matcher causes the hook to trigger on every prompt, creating broad, persistent execution of the configured script. In a self-improvement skill, that expands exposure from occasional learning capture to all interactions, increasing the blast radius if the script is modified, compromised, or unexpectedly costly.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The user-level configuration enables the hook globally across sessions, and the example still uses an empty matcher. That makes the behavior persistent beyond a single project and can unintentionally inject or execute the script in unrelated contexts, including more sensitive work.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Although presented as 'minimal,' this setup still runs on every prompt because the matcher is empty. Reducing the number of hooks lowers overhead, but it does not reduce the breadth of activation, so users may incorrectly assume the risk is minimal as well.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The Codex example mirrors the same empty-matcher pattern, causing broad activation during normal prompting. Because this is documentation intended for reuse, it can propagate insecure defaults across environments and normalize always-on command execution.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to persist user corrections, requests, and operational details into `.learnings` files across sessions. Without strong minimization and redaction rules, this can retain sensitive user data, proprietary context, or secrets longer than necessary and make later disclosure more likely.

Ssd 3

High

Confidence: 97% confidence
Finding: Cross-session features that read transcripts and send learnings between sessions create a clear semantic data-exfiltration channel. Even if each individual session is trusted, moving information across session boundaries can leak confidential user data, credentials, or project-sensitive context into unrelated conversations or agents.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The prescribed logging format asks for full context, parameters, inputs, related files, and user context, which encourages over-collection. Persisting such detailed records increases the chance that secrets, internal paths, customer data, or sensitive prompts are stored in durable files and later reused or exposed.

Ssd 3

Medium

Confidence: 93% confidence
Finding: Promoting learnings into durable agent context files broadens distribution of whatever was previously logged. If sensitive material enters `.learnings`, this workflow can amplify the exposure by copying it into higher-priority memory files that affect future sessions and agents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal