Back to skill

Security audit

Self Evolution-v2

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive or malware-like, but it persistently changes core agent behavior and records prior conversation-derived lessons without enough user control.

Install only if you are comfortable with a skill that can permanently alter your agent's SOUL.md and keep local records of corrections, task outcomes, unresolved work, and inferred feedback. Before applying it, review and back up SOUL.md, inspect the .learnings files it creates, and avoid using it in sensitive or shared workspaces unless you add explicit confirmation, rollback, retention, and redaction controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script persistently alters the agent's core SOUL.md and installs always-on behavioral artifacts in the workspace, which changes the agent's baseline behavior across future sessions rather than performing a limited, reversible setup action. In the context of an agent skill, modifying a core instruction file creates a durable prompt-injection/persistence mechanism that can silently override user expectations and expand the skill's influence beyond its stated runtime scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The injected rules instruct the agent to automatically read prior memory/conversation files and write lessons back into SOUL.md, creating self-modifying behavior with access to historical context. That broadens the skill from a helper into a persistence and data-propagation mechanism, increasing the risk of privacy leakage, instruction drift, and amplification of any bad or adversarial content found in prior records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that it will automatically write to SOUL.md and create local tracking files, but does not clearly warn users or require consent for those persistent filesystem changes. In an agent environment, silent modification of instruction/configuration files can alter future model behavior in non-obvious ways and create a durable persistence mechanism the user did not intentionally approve.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes automatically reading prior memory files and conversation-derived records without any privacy notice, data minimization, or consent model. That creates a confidentiality risk because prior conversations, corrections, and unresolved items may contain sensitive personal, business, or credential-adjacent information that the user did not expect to be reprocessed automatically in later sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly tells the user that the AI will automatically write evolution rules into SOUL.md and create learning template files, but it gives no warning about overwriting, merging, or changing existing user configuration. Because these are persistent workspace files, silent modification can alter agent behavior, destroy prior customizations, or create confusing state without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script appends content directly to SOUL.md as soon as it runs, with no interactive confirmation, diff preview, or secondary safeguard. For a file that governs core agent behavior, silent modification is dangerous because it enables unauthorized persistence and makes it easy to smuggle broad instructions into future sessions without informed consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.