ClawHub
Back to skill

Security audit

Self Improving Compound

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory and self-improvement skill, but users should enable its cron, hooks, transcript collection, and auto-promotion features deliberately because they persist conversation and workspace data.

Install only if you want a persistent local agent-memory system. Before enabling cron, hooks, collectors, or auto-promotion, confirm the workspace root, timezone, delivery target, and trusted helper paths. Do not feed it secrets or raw private transcripts, review generated learning/promotion files, and avoid --auto-promote unless you are comfortable with the agent writing rules into AGENTS.md or similar control-plane files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
out_path.write_text(json.dumps(report, ensure_ascii=False, indent=2), encoding="utf-8")
    if args.log and candidates:
        sample = "; ".join(f"{Path(c['file']).name}:{c['line']} {c['text'][:120]}" for c in candidates[:5])
        subprocess.run([
            sys.executable, str(skill), "--root", str(root), "log-error",
            "--summary", f"Learning audit found {len(candidates)} possible missed capture-gate item(s)",
            "--details", f"Audit candidates: {sample}. Review {out_path} and convert real reusable lessons into specific log-correction/log-error/log-learning entries.",
Confidence
93% confidence
Finding
subprocess.run([ sys.executable, str(skill), "--root", str(root), "log-error", "--summary", f"Learning audit found {len(candidates)} possible missed capture-gate item(s

Tainted flow: 'skill' from os.environ.get (line 61, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
out_path.write_text(json.dumps(report, ensure_ascii=False, indent=2), encoding="utf-8")
    if args.log and candidates:
        sample = "; ".join(f"{Path(c['file']).name}:{c['line']} {c['text'][:120]}" for c in candidates[:5])
        subprocess.run([
            sys.executable, str(skill), "--root", str(root), "log-error",
            "--summary", f"Learning audit found {len(candidates)} possible missed capture-gate item(s)",
            "--details", f"Audit candidates: {sample}. Review {out_path} and convert real reusable lessons into specific log-correction/log-error/log-learning entries.",
Confidence
98% confidence
Finding
subprocess.run([ sys.executable, str(skill), "--root", str(root), "log-error", "--summary", f"Learning audit found {len(candidates)} possible missed capture-gate item(s

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script executes the contents of --collector or SELF_IMPROVING_DAILY_COLLECTOR via `bash -lc`, which gives shell interpretation to attacker-controlled input. In a skill explicitly designed for automation, cron jobs, and self-improvement hooks, this creates a realistic command-injection/RCE path if the variable or argument is influenced by an untrusted user, repository content, or environment.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The promotion flow can append learned content directly into sensitive workspace control-plane files such as `AGENTS.md` and `TOOLS.md`. In an agent ecosystem, these files can influence future behavior, so untrusted or weakly reviewed log content can become persistent instruction/configuration injection that survives beyond the original session.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The recommended cron schedule is hard-coded to Asia/Shanghai, and the skill also includes commands that generate date-stamped memory files using that timezone. In a self-modifying memory and automation skill, an incorrect timezone can cause jobs to run at unintended hours, produce misleading daily digests, or silently shift retention/audit boundaries, which undermines reliability and could expose sensitive summaries at the wrong time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The hook forwards arbitrary error details to a persistent SQLite logging backend without any visible consent, notice, redaction, or sensitivity checks. In this skill's context, error text can easily contain secrets, prompts, filesystem paths, tokens, user content, or proprietary workspace data, so silent persistence increases privacy and data-retention risk beyond the immediate task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`maintain --apply --auto-promote` can write queued content into workspace files automatically, without an explicit per-item confirmation at the moment of modification. Because the promoted content originates from prior logs and can target influential markdown files, this creates a path for unintended persistence of unsafe or manipulative text into files that may later be trusted by agents or operators.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script captures output from `openclaw status`, `gateway status`, and possibly `doctor` into a persistent log file, and diagnostic output can contain environment details, service endpoints, stack traces, or other sensitive operational data. In the context of a self-improving memory/learning system that stores and reuses observations, persistent collection of such diagnostics increases the chance that sensitive data is retained or later surfaced beyond its original troubleshooting purpose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The collect path reads user/assistant transcript content from the session file and writes it verbatim into incremental JSON and Markdown files under the workspace. That creates an additional persistence and exposure surface for potentially sensitive conversation data, and there is no consent check, minimization, redaction, or warning before copying the transcript into easier-to-find output files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.