Back to skill

Security audit

中文 自我改进代理

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can persistently change what the agent remembers and how it behaves through broad hooks and memory files without enough user control.

Install only after narrowing the setup. Prefer no automatic hooks, or use project-scoped hooks with restrictive matchers. Do not enable global always-on hooks unless you trust the repository and scripts. Require explicit review before writing to memory or agent instruction files, and never store secrets, credentials, personal data, raw transcripts, or unredacted command output in learning files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that the hook scripts 'only output text' and 'don't modify files or run commands', but the configuration explicitly invokes them as shell commands via the hook system. This is dangerous because it downplays the execution risk of arbitrary local scripts, which run with the agent user's permissions and could be modified, replaced, or extended to perform unintended actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill defines broad self-activation conditions such as when the agent 'discovers a better method' or when the user installs the skill, without clear boundaries or a requirement for user confirmation before acting. In a skill that also updates memory and alters future behavior, vague triggers can cause unexpected invocation, over-collection of data, or autonomous persistence beyond what the user intended.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger table includes multiple loosely defined conditions such as user correction, outdated knowledge, and better methods, but does not specify limits, approval gates, or exclusions. This makes the skill more dangerous in context because the same document also instructs the agent to record information and update memory permanently, increasing the chance of unintended persistence or repeated self-invocation loops.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to update memory.md with 'new knowledge' and describes this as permanent improvement, but does not prominently disclose to the user that information may be persistently stored. In practice, this can lead to retention of sensitive user content, incorrect conclusions, or prompt-injected data across sessions without informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
86% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.