ClawHub

Self Improving Agent Shared

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it broadly persists and shares agent learnings, prompts, errors, and cross-session context without enough privacy boundaries.

Install only if you want persistent agent memory and are willing to manage it. Keep hooks project-scoped, review the scripts before enabling them, avoid global empty-match hooks, and require sanitized summaries instead of raw prompts, transcripts, command output, secrets, tokens, customer data, or private project details before writing or promoting learnings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document’s security section understates behavior by claiming the scripts only output text and do not run commands, while the file explicitly configures them as command hooks and also documents invoking an additional script directly. Misleading assurances around execution behavior can cause users to trust and deploy hook scripts without appropriate review, increasing the chance of unsafe code execution in the agent environment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The detection triggers use common conversational phrases like corrections, requests, and questions as automatic logging signals. In practice, this can cause the agent to capture routine user input and surrounding context without meaningful consent, increasing the chance of sensitive information being persisted or propagated.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill repeatedly instructs the agent to record errors, corrections, full context, environment details, and user-provided information, but it never establishes redaction, secret filtering, or privacy constraints. That creates a substantial risk of storing credentials, tokens, proprietary code, personal data, or internal operational details in durable markdown logs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using an empty matcher causes the hook to fire on every user prompt, creating a broad and persistent trigger surface. In a self-improvement skill, that means unscoped prompt interception on every interaction, which can leak sensitive context to hook scripts, increase unintended influence on agent behavior, and make abuse harder to notice.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The user-level configuration applies the empty matcher globally, so the hook activates across all prompts in all sessions for that user. Global persistence makes the behavior more dangerous than a project-local example because it broadens data exposure, increases blast radius, and can silently affect unrelated work.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Although labeled as minimal setup, this example still triggers on any prompt due to the empty matcher, so it minimizes overhead but not scope. That can normalize always-on interception and encourage deployment without clear boundaries, especially in environments where prompts may include secrets, credentials, or unrelated sensitive tasks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI setup repeats the same broad empty-matcher pattern, extending the risk to another agent platform. Recommending an unrestricted trigger in multiple environments increases the likelihood of widespread deployment of over-broad hooks and persistent prompt monitoring.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Enabling a hook causes automatic execution on lifecycle events, but the setup steps do not clearly warn the user that this creates an event-triggered execution path. In a prompt-injection-oriented system, auto-triggered hooks increase attack surface because users may enable behavior that runs implicitly across future sessions without fully understanding when it executes.

Ssd 3

Medium
Confidence
93% confidence
Finding
This section encourages persistent logging and promotion of user corrections, workflow details, and session-derived information into multiple files, expanding retention and visibility without clear sensitivity limits. That increases the blast radius of any sensitive content accidentally captured, especially if those files are synced, committed, or shared across environments.

Ssd 3

High
Confidence
97% confidence
Finding
The inter-session features explicitly encourage reading other sessions' transcripts and sending learnings between sessions, which creates a direct avenue for cross-session disclosure of confidential prompts, outputs, and operational context. Even if intended for productivity, this weakens isolation and can spread sensitive information far beyond the original session's need-to-know scope.

Ssd 3

Medium
Confidence
96% confidence
Finding
The templates instruct agents to capture full context, actual error output, inputs, parameters, and user context in natural-language records. Those fields are exactly where secrets, personal data, internal URLs, auth headers, file paths, and proprietary details commonly appear, making accidental long-term retention highly likely.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
78% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal