ClawHub

Self Improving Agent 3.0.5

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate self-improvement skill, but it needs review because it can persist conversation-derived learnings and promote them into future agent context without strong approval or redaction controls.

Install only if you want the agent to keep persistent local learning notes. Before enabling hooks or global configuration, review the scripts and decide whether every-prompt reminders are acceptable. Do not let the agent store secrets, tokens, customer data, raw transcripts, or private error output in .learnings or promoted instruction files; manually review and sanitize anything before it is promoted into future agent context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description frames behavior as passive logging and review, but the body also instructs hook-based automatic reminders, cross-session sharing, and creation of new skill scaffolds. That mismatch can cause users or agents to enable broader persistence and automation than they reasonably expected, weakening informed consent and increasing the chance of unintended data retention or prompt-surface expansion.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance is broad enough that normal conversation patterns can trigger the skill in situations that do not warrant persistence or logging. Over-triggering is dangerous here because the skill writes durable records and can promote them into agent context, turning routine interaction into stored operational memory.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'Automatically log when you notice' section uses generic phrases like corrections, feature wishes, and knowledge gaps that commonly occur in benign chat. Because these triggers directly instruct persistence, they create a risk of collecting and retaining incidental user content without a deliberate opt-in.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The empty matcher causes the hook command to run on every prompt, which is an overly broad trigger for a command-executing hook. In this skill, that means automatic script execution is attached to all interactions, increasing exposure to unwanted prompt-wide monitoring, accidental data capture, and unnecessary command execution overhead.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The user-level configuration recommends global activation without sufficiently constraining scope, so the hook can follow the user across projects and contexts. That broad persistence is riskier than project-local setup because it may expose unrelated workspaces, prompts, or sensitive tasks to the same automatic command execution path.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The overview describes proactive reminders but does not clearly warn that the configured hooks execute shell commands automatically, including after every prompt and after Bash tool use. Users may treat this as harmless guidance rather than command execution, which undermines informed consent and increases the chance they enable persistent automation without understanding the security implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly instructs operators to create persistent `.learnings/` storage in workspace or skill directories without warning that user content, errors, or corrections may be retained across sessions. In a self-improvement skill, this increases the chance of unintentionally storing sensitive prompts, secrets, or personal data beyond the user's expectations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The inter-session communication guidance encourages sharing learnings across sessions and reading transcript history, which can propagate user data, secrets, and sensitive operational details beyond the original context. This increases exposure surface and violates least-privilege principles for memory and session isolation.

Ssd 3

Medium
Confidence
97% confidence
Finding
The templates explicitly request full context, actual error output, inputs, parameters, and related files, all of which often contain secrets, personal data, internal paths, or proprietary content. Persisting this information in markdown logs creates an easy secondary leakage channel and can spread sensitive data into repos or shared workspaces.

Ssd 3

Medium
Confidence
95% confidence
Finding
Telling agents to 'log immediately' and 'promote aggressively' to persistent context files encourages rapid propagation of possibly sensitive information before review. Once copied into CLAUDE.md, AGENTS.md, or similar files, the data becomes more durable and more likely to be injected into future sessions.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
79% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal