Self Improving Agent 1 0 2 Litiao

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for agent self-improvement, but it asks agents to persist and share detailed conversation, error, and session information without enough privacy or scope controls.

Install only if you intentionally want durable agent memory and optional prompt hooks. Before using it, require agents to redact secrets, tokens, personal data, customer data, raw prompts, and sensitive command output; prefer project-scoped hooks with narrow matchers; avoid global hook activation unless explicitly needed; and do not read or share other session transcripts without clear authorization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The security section asserts the hook scripts only output text and do not run commands, yet the documented configuration invokes them as shell commands via the hook system. This kind of misleading safety claim can cause operators to under-trust the execution risk, making it easier to deploy command-executing hooks without appropriate review or sandboxing.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The guide says the scripts do not modify files, but it also documents an extract script that creates a skill scaffold, which is a file-writing operation. Misrepresenting write behavior can lead users to enable automation in environments where file creation or workspace mutation should be tightly controlled.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The automatic logging guidance encourages recording operational details without any warning to exclude secrets, personal data, tokens, prompts, or environment-specific sensitive values. In practice, error text, command arguments, and debugging context frequently contain credentials or user data, so this creates a durable leakage channel into project files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly instructs operators to read transcript history from other sessions, which can expose sensitive prompts, secrets, user data, or unrelated project context if access boundaries are weak or if users assume session isolation. In a distributed multi-agent environment, normalizing transcript inspection without consent, minimization, or authorization guidance increases the chance of privacy violations and unintended data disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide encourages cross-session message sharing of operational learnings but provides no warning against sending secrets, tokens, private user data, or confidential project details. Because this skill is about capturing and propagating learnings across contexts, it increases the likelihood that sensitive information discovered in one session will be redistributed more broadly than necessary.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An empty matcher causes the hook to run on every prompt, which is overly broad and increases exposure of all user interactions to the configured command. In this skill context, that means persistent interception of agent sessions, potentially capturing sensitive prompts or creating unnecessary command execution on every interaction.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The user-level configuration enables global activation for all prompts, extending the command hook across all repositories and sessions. This broad persistence increases the blast radius of any script defect, compromise, or unexpected data handling because it applies outside the original project context.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill explicitly promotes transferring conversation-derived content into persistent files such as CLAUDE.md, AGENTS.md, and copilot instructions, but it provides no safeguards for consent, sensitivity review, or minimization. That can convert transient user input, mistakes, or proprietary context into long-lived shared memory, increasing exposure across future sessions and contributors.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The error logging template instructs the agent to record raw error messages, command inputs, parameters, and environment details. Those fields commonly contain secrets, file paths, customer data, auth headers, and internal infrastructure information, so the template materially increases the risk of persistent sensitive-data retention.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The feature-request format and detection rules encourage saving what the user wanted and why they needed it, which can preserve sensitive intent, business context, or personal information. Because these entries are designed for retention and possible sharing, the skill creates a broad memory channel for user-supplied context without limits.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal