ClawHub

Lovefromio Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it needs review because it encourages long-lived agent memory, broad logging of conversation/error context, cross-session sharing, and always-on hooks without enough privacy or scope controls.

Install only if you are comfortable with an agent keeping persistent notes from errors, corrections, and conversations. Prefer project-local setup, avoid global hooks, inspect scripts before enabling them, use narrow matchers, redact secrets and personal data before logging, require explicit approval before promoting content into prompt files, and periodically review or delete .learnings and workspace memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document’s security section states that the scripts 'only output text' and 'don't modify files or run commands,' but the guide explicitly configures them as command hooks and also invokes a shell script directly. This kind of misleading assurance can cause users to trust and enable auto-executed scripts without understanding their actual execution model and privilege level.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document significantly broadens a 'self-improvement' skill from local learning capture into persistent prompt-shaping across AGENTS.md, SOUL.md, TOOLS.md, and cross-session coordination. This is dangerous because it creates an avenue for durable prompt injection and behavioral drift beyond the original skill scope, potentially affecting future sessions and agents without clear trust boundaries or approval gates.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide introduces capabilities to inspect other sessions, send them messages, and spawn sub-agents, even though the skill's stated purpose is learning capture. These features increase the attack surface for lateral movement, data exposure across sessions, and propagation of poisoned instructions or sensitive context between otherwise separated conversations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The template tells authors to include trigger conditions, but it does not require explicit activation boundaries, exclusions, or disambiguation from nearby skills. In an agent setting, vague triggers can cause over-broad auto-selection of a skill, leading the system to apply procedures in the wrong context and potentially execute inappropriate actions or guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script-capable template normalizes executable helpers and shell invocation examples without requiring warnings, approval gates, dry-run behavior, or documentation of side effects. In practice, this can encourage skills that present commands as routine steps, increasing the chance that an agent or user runs scripts that modify the filesystem, system configuration, or external resources without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions wire local shell scripts into UserPromptSubmit and PostToolUse events, causing automatic execution on every prompt or matching tool event, yet the setup point lacks an immediate warning about that behavior. Users may copy-paste the configuration without realizing they are enabling recurring code execution tied to normal interaction flow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends user-level activation in ~/.claude/settings.json for 'global activation' without a nearby warning that the hook will run across all sessions and projects. That broad persistence increases the blast radius of any script defect, malicious modification, or unintended data exposure from hook execution.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad phrases such as tool errors, knowledge gaps, and model behavior surprises, which can cause the skill to activate in many normal situations. Ambiguous activation increases the likelihood of unintended writes, persistence of low-quality or sensitive data, and autonomous behavior outside user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends promoting learnings into workspace files that are later injected into sessions, but it does not warn that these files may persist sensitive information or expose it across future sessions and agents. This creates a durable confidentiality risk and can also turn one-time mistakes or malicious content into recurring prompt injection material.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill normalizes saving user corrections, requests, and conversation-derived details into persistent markdown and even promoting them into broader memory files. That creates a real risk of retaining secrets, personal data, proprietary prompts, or sensitive project context in plaintext beyond the original session.

Ssd 3

High
Confidence
96% confidence
Finding
Presenting transcript reading and cross-session sharing as a standard learning workflow enables agents to inspect and redistribute prior session content in plain language. If those transcripts contain secrets, user data, or confidential code context, this materially increases unauthorized exposure across sessions and agents.

Ssd 3

High
Confidence
98% confidence
Finding
The prescribed logging format explicitly asks for full context, inputs, parameters, error output, and user context, which strongly encourages plaintext capture of secrets and sensitive operational details. Error logs frequently contain tokens, URLs, stack traces, file paths, and customer data, so this creates a substantial data-retention and secondary-disclosure risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
Aggressive promotion of learnings into persistent instruction files broadens the blast radius of any sensitive detail accidentally captured earlier. Once propagated into global or project-level guidance files, the information is more likely to be reused, surfaced in future sessions, or committed to version control.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal