Self-Evolving Agent (Lorin)

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but gives an agent persistent self-modification and logging workflows that need careful review before use.

Install only if you intentionally want persistent self-improvement behavior. Keep hooks project-scoped where possible, avoid empty/global matchers, require manual review before promoting anything into persistent prompt files, redact secrets and raw command output from learnings, and replace direct deletion with backup or trash-based removal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document states that the scripts 'only output text' and 'don't modify files or run commands,' but the same file instructs the host agent to execute those scripts as command hooks. This is misleading security guidance because it understates the trust boundary and may cause operators to enable automatically executed hooks without appropriately reviewing script behavior, permissions, or side effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs deleting skill directories with a destructive command but provides no confirmation, validation, backup, or safety checks. In an agent setting, normalizing irreversible deletion increases the chance of accidental data loss, especially if category or skill-name values are wrong or expanded unexpectedly.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: An empty matcher causes the hook to trigger on every prompt, creating a broad, persistent execution surface for an automatically run command. In the context of a self-improving agent, this increases exposure to prompt-driven data capture, excessive context injection, and unintended processing of sensitive or irrelevant user interactions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The user-level configuration enables the hook globally across sessions without narrowing conditions, so the command will run for all future interactions in that environment. This is more dangerous than project-local setup because it creates long-lived, cross-project persistence that can affect unrelated repositories, workflows, and potentially sensitive prompts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Codex example also uses an empty matcher, which leaves the trigger scope effectively unrestricted and causes command execution on every prompt. This broad activation is risky because it normalizes automatic hook execution across tools without requiring a specific operational need or bounded context.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list is broad and encourages logging on common events like command failures, API errors, and knowledge gaps without requiring filtering or sensitivity review. In a self-improving agent that persistently writes learnings, this can lead to over-collection of user data, secrets, or irrelevant context and create a prompt-injection persistence channel.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document instructs the agent to log learnings to workspace files but does not clearly warn against storing sensitive data or untrusted prompt content. Because these files are reinjected into future sessions, unsafe logging can persist secrets or attacker-controlled text and influence later model behavior.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The learning log template encourages persistent recording of detailed context from conversations and errors, which can include user-provided secrets, tokens, personal data, or internal paths. Because the design centers on long-term retention and reuse, any sensitive material captured here may be repeatedly exposed, propagated into future skills, or committed to storage unintentionally.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The error template explicitly asks for the attempted command, inputs or parameters, and environment details, which are common locations for credentials and other sensitive data. Persisting raw error context to .learnings/ERRORS.md creates a durable secret leakage channel and may expose sensitive operational details to later readers, tools, or version control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal