Improvement Learner

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to improve other skills, but it can modify target directories, run target tests, call the local Claude CLI, and make git commits without clear opt-in boundaries.

Install only if you intend to run an active self-improvement tool on trusted, backed-up, version-controlled skills. Avoid using it on untrusted skill packages or sensitive SKILL.md content unless pytest and Claude execution are sandboxed or disabled, and review diffs before accepting generated changes or commits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) try: result = subprocess.run( ["claude", "-p", "--output-format", "json"], input=prompt, capture_output=True,
Confidence: 95% confidence
Finding: result = subprocess.run( ["claude", "-p", "--output-format", "json"], input=prompt, capture_output=True, text=True, timeout=120,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Base score from tests (0.0-1.0) if has_tests: try: result = subprocess.run( [sys.executable, "-m", "pytest", str(skill_path / "tests"), "-q", "--tb=no"], capture_output=True, text=True, timeout=30,
Confidence: 79% confidence
Finding: result = subprocess.run( [sys.executable, "-m", "pytest", str(skill_path / "tests"), "-q", "--tb=no"], capture_output=True, text=True, time

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill advertises shell execution and file read/write behavior via its CLI examples and described automation, but it declares no permissions or capability boundaries. This creates a trust and containment problem: an orchestrator or user may invoke a skill that can modify files or run commands without any explicit consent model, increasing the chance of unintended code execution or repository changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared description frames the skill as a scoring and optimization helper, but the detected behavior includes external LLM invocation, test execution, file creation/modification, git operations, and security scanning with punitive score changes. This mismatch is dangerous because operators may grant or trigger the skill under the assumption that it is a passive evaluator when it can perform materially more powerful actions affecting the filesystem, repository history, and external toolchain.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill's stated purpose is evaluation/improvement, but it also stages and commits repository changes automatically. This hidden write-side effect can be abused to persist unwanted changes, alter audit trails, or surprise users who expected read-mostly analysis behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: `revert_to_backup` deletes the target skill directory with `shutil.rmtree` before restoring it, without confirmation, path safety checks, or rollback hardening. If `skill_path` is wrong, attacker-controlled, or unexpectedly broad, this can cause destructive data loss across arbitrary directories accessible to the process.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code performs `git add` and `git commit` automatically with no user-facing warning or approval. In a self-modifying tool, silent VCS side effects can persist malicious or low-quality changes and make unintended modifications appear authoritative in project history.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal