ClawHub

Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but needs Review because it encourages persistent memory logging and broad optional hooks without enough privacy scoping or redaction guidance.

Install only if you want a persistent agent-memory workflow. Before enabling hooks, prefer project-level and narrowly matched hooks over global empty-match hooks, review the scripts, and keep learning files out of version control unless the team intentionally wants reviewed shared memory. Log short sanitized lessons, not raw transcripts, secrets, tokens, customer data, private prompts, full command output, or sensitive environment details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document's security section materially understates risk by claiming the scripts only output text and do not run commands, even though they are explicitly configured as command hooks and the same guide references an extraction script that performs scaffolding actions. This can cause users to trust and deploy hook scripts with insufficient scrutiny, increasing the chance of unintended code execution or privileged actions in the agent environment.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill uses broad activation criteria and common conversational patterns to trigger logging behavior, which can cause the agent to persist data from ordinary user interactions without clear user intent. In a memory-writing skill, overbroad triggering materially increases the chance of unnecessary retention of sensitive or private content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The listed trigger phrases like ordinary corrections, wishes, and questions are common in normal conversation, so they can fire on benign chat and cause persistent logging. Because this skill stores and promotes content across sessions, loose phrase matching creates a real data-retention and privacy risk even without malicious intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
An empty matcher makes the UserPromptSubmit hook fire on every prompt, creating unconditional execution of a local command in response to all user interactions. In a self-improvement skill, this broad trigger increases exposure to prompt-triggered persistence, unnecessary data collection, and repeated execution of hook logic in sensitive contexts where no learning capture is needed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is broad enough that normal conversational corrections, generic tool errors, or vague 'knowledge gaps' could activate the skill unexpectedly and cause autonomous logging or promotion of content. In a prompt-injection-prone workspace model, ambiguous activation increases the chance that sensitive, attacker-supplied, or irrelevant text is persisted without clear user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document encourages storing learnings in shared workspace files and sending them across sessions, but it never warns against including secrets, private user content, credentials, or injected instructions. Because these files are part of persistent prompt context, unsafe logging can turn transient sensitive data into durable, broadly exposed context for future sessions and agents.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to log user corrections, requests, and contextual details into persistent files for future use. That creates a natural-language data retention channel where sensitive user information, proprietary prompts, or private project context may be stored and later resurfaced or shared across sessions.

Ssd 3

Medium
Confidence
92% confidence
Finding
Logging user corrections and missing-feature requests sounds harmless, but these often include detailed user goals, system context, or sensitive task descriptions. Persisting them by default can leak information into later sessions or shared workspaces beyond the original interaction.

Ssd 3

Medium
Confidence
95% confidence
Finding
Promoting logged learnings into durable agent context files amplifies the risk because any accidentally captured sensitive content becomes part of future prompts and may influence unrelated sessions. This turns a local logging issue into long-lived propagation across tools and agent runs.

Ssd 3

High
Confidence
97% confidence
Finding
Cross-session transcript reading and message sharing materially increase the blast radius of any sensitive content captured by this skill. Even if intended for collaboration, these features enable disclosure of prior session content to other sessions or agents, which is a meaningful confidentiality risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The learning template asks for 'Full context' and records source metadata from conversations and user feedback, encouraging overcollection of free-form interaction content. In practice, this can capture far more sensitive text than is needed to preserve the lesson.

Ssd 3

Medium
Confidence
96% confidence
Finding
Error logs that include raw input parameters and environment details frequently capture secrets such as tokens, URLs, internal paths, customer data, or configuration values. Persisting these details in markdown files creates a durable leakage point that may later be committed, indexed, or shared.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
76% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal