learning-engine

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and purpose-coherent, but it would persist learned content and automatically edit other skills without clear approval, scoping, or rollback controls.

Install only if you intentionally want an agent to learn from local memory files and potentially change other skills. Before enabling it, require manual approval with visible diffs for every skill-file update, disable automatic hooks unless needed, redact sensitive log content, keep backups, and set retention limits for generated learning artifacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill explicitly states it will auto-update other skills' SKILL.md files based on learned content. That grants cross-skill write capability far beyond passive analysis and creates a supply-chain style risk: untrusted or low-quality content from logs, self-evals, or performance data can be propagated into multiple skills, potentially altering future agent behavior in unsafe ways.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger keywords are generic phrases like 'learning', 'lessons', and 'improvements' that commonly appear in normal conversation. Overly broad triggers can cause accidental invocation of the skill, leading to unexpected persistence, summarization, rule generation, or cross-file updates without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description emphasizes learning and improvement but does not prominently warn that it writes persistent artifacts and auto-updates other skills' documentation. This omission undermines informed consent and increases the chance that users or operators invoke it without understanding its durable side effects.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The skill is designed to collect mistakes, successes, evaluations, and performance information across memory stores for later reuse. This creates a natural-language data retention and leakage risk because sensitive operational details, user content, or credentials mentioned in logs or evaluations may be preserved, re-summarized, and surfaced in new contexts.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The weekly reports and learned rules are generated from accumulated logs and evaluations, which encourages broad summarization of prior inputs into durable new documents. This amplifies leakage risk because information that was originally scattered or transient becomes easier to discover, reuse, and exfiltrate once consolidated.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The pipeline propagates learned content from memory sources into other skill files, expanding the blast radius of any sensitive, erroneous, or adversarially planted text. This is more dangerous than simple retention because it turns stored content into behavioral instructions in broader contexts, potentially causing persistent prompt injection or leakage across skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal