ClawHub

Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate self-improvement logger, but it needs Review because it encourages broad persistent memory and cross-session sharing of potentially sensitive context.

Install only if you intentionally want durable agent memory. Prefer project-level hooks over global hooks, review hook scripts before enabling them, redact secrets and personal or customer data from learning entries, avoid copying raw transcript content, and require explicit user review before promoting entries into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, Copilot instructions, or sharing learnings across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section materially misrepresents the behavior of the configured hooks. The examples explicitly configure hook entries of type "command", which means shell commands are executed; claiming they 'only output text' can mislead users into underestimating execution risk and installing them in more privileged or sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This section extends a self-improvement skill from local note-taking into cross-session coordination and messaging, which materially broadens its authority and data reach. Even if framed as productivity guidance, tying learnings to agent orchestration creates a path for unintended propagation of sensitive context across sessions beyond the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The promotion workflow directs learned content into broad workspace control files such as AGENTS.md, SOUL.md, and TOOLS.md, which can alter future agent behavior well beyond simple logging. This effectively turns transient observations into persistent prompt-shaping instructions, increasing the risk of accidental prompt injection, policy drift, or persistence of bad guidance.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Reading transcripts from other sessions is a cross-context data access capability that is not necessary for basic self-improvement logging. Without a strong need-to-know boundary, it can expose unrelated sensitive prompts, outputs, or credentials from other workstreams and normalize unnecessary lateral access.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill’s activation guidance is broad enough to match ordinary conversation and common workflow events, which can cause frequent unintended invocation. In practice, that increases the chance of unnecessary logging of user content, corrections, and operational details into persistent files, expanding the exposure surface for sensitive data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed detection phrases like corrections, feature wishes, and knowledge-gap cues are overly generic and can be encountered in normal conversation without implying consent to persist data. That makes accidental logging more likely, which is dangerous because the skill also encourages storing context, errors, and related details in durable files and promoting them into broader agent memory.

Vague Triggers

Medium
Confidence
90% confidence
Finding
An empty matcher causes the UserPromptSubmit hook to fire on every prompt, greatly broadening execution scope. In a skill that runs shell-command hooks, this increases the chance of unintended triggering, prompt-context pollution, and repeated execution in workflows where the hook is unnecessary.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Using an empty matcher in user-level global configuration enables the hook across all sessions and projects, expanding persistence and blast radius. If the script is modified, replaced, or behaves unexpectedly, it will execute broadly in unrelated contexts, increasing exposure of sensitive prompts and environments.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Codex example repeats the same broad empty-matcher pattern, causing the hook to execute for all prompt submissions without constraints. This is especially risky in a cross-tool setup because users may copy the configuration widely, normalizing unrestricted command-hook execution.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger definitions are broad enough that normal conversation events, tool failures, or vague 'knowledge gaps' could activate the skill unexpectedly. In a system that writes persistent learnings or promotes content into workspace prompt files, overbroad activation increases the chance of storing noisy, adversarial, or user-supplied content as future instructions.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section explicitly normalizes persisting user corrections, missing capabilities, errors, and workflow details to markdown files for later review and promotion. That creates a natural-language retention channel where secrets, proprietary prompts, personal data, or internal operational details can be stored long-term and later surfaced to future sessions or tools.

Ssd 3

Medium
Confidence
96% confidence
Finding
Inter-session features that read session history and send learnings to other sessions materially increase the blast radius of any sensitive data captured by this skill. Once logged or shared across sessions, user-provided information may be exposed beyond the original context, violating least privilege and making accidental disclosure harder to contain.

Ssd 3

Medium
Confidence
97% confidence
Finding
The templates ask for full context, actual error output, inputs/parameters, and user context, which are precisely the fields most likely to contain secrets, tokens, internal paths, customer data, or confidential business information. Because these are stored in plain-language markdown for later reuse, the skill creates a durable and easily propagated data leakage path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal