Hermes Learning Loop

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can create persistent memories and new agent skills from session activity with weak review, redaction, and cleanup controls.

Install only if you deliberately want a self-learning skill that writes local memory and may generate new skills. Keep LEARNING_AUTO_CREATE=false, review any generated memory or SKILL.md before reuse, avoid using it on sessions containing secrets or confidential project details, and periodically inspect and delete the .openclaw memory and skills it creates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises and demonstrates use of environment variables and local execution flows but does not declare permissions or boundaries for accessing env-derived data. In a self-improving, persistence-oriented skill, undeclared env access increases the chance of unintentionally reading or persisting secrets such as tokens, paths, or session metadata across sessions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented behavior goes materially beyond the stated purpose: it describes writing persistent memory files, handling user/project/feedback data, loading local session artifacts, and managing state through extra commands. This mismatch is dangerous because operators may trust a narrow 'workflow learning' description while the skill actually retains broader local data and manipulates persistent state, weakening informed consent and review.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: If the requested session file is missing, the code silently fabricates a successful complex session and then uses it to drive extraction and potential skill creation. In this skill's context, that can poison the agent's learned state with invented workflows, causing untrusted automation artifacts to be persisted and later reused as if they were real.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README prominently advertises automatic extraction, skill creation, and persistence of knowledge across sessions, but it does not clearly warn users that potentially sensitive task history, prompts, corrections, and workflow details may be stored long-term. In an agent context, this can cause unintentional retention of secrets, proprietary data, or user behavioral information, especially because the persistence behavior is presented as a core feature rather than an opt-in risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The heartbeat auto-trigger instructions tell users to run periodic nudges but omit that these nudges may generate or update persistent skills and memories as a side effect. Because this is framed as routine automation, users may enable it without understanding that every few tasks the agent may analyze prior activity and write durable artifacts, increasing the chance of silently persisting sensitive or misleading content.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The auto-use guidance is broad enough that the skill may be invoked during many ordinary tasks without a clear user request or strong gating. For a skill that writes memories and creates new skills, unintended invocation can cause silent retention of workflow history and user-related context.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The listed creation triggers are heuristic and permissive, but they do not define exclusions for sensitive, one-off, failed, or privacy-relevant workflows. This creates a risk that the agent will persist inappropriate content or encode accidental behavior into reusable skills.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill prominently describes cross-session memory and workflow extraction but does not provide a clear warning that user data, workflow history, and corrections may be stored persistently. Without prominent disclosure, users may unknowingly provide information that becomes durable agent memory and is later resurfaced in unrelated contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code writes curated user/project data to disk automatically, without meaningful disclosure or confirmation. In an agent skill that claims to learn across sessions, silent persistence increases the risk of storing sensitive project details or personal preferences that users did not expect to retain, creating privacy and data-governance exposure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: When AUTO_CREATE is enabled, the skill writes generated skill files automatically based on extracted session data, without explicit user approval at write time. In this context, that can lead to unintended persistence of unreviewed instructions or workflows that may later influence agent behavior, effectively turning noisy or sensitive session content into reusable automation artifacts.

Ssd 3

Medium

Confidence: 93% confidence
Finding: These instructions explicitly encourage persisting user preferences, project context, and feedback across sessions, which creates a natural-language data retention and leakage channel. Such stored text can later expose sensitive business details, personal preferences, or confidential corrections outside the original task context.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The curation policy tells the agent to keep user preferences, project context, and corrections in persistent memory files, directly establishing a mechanism for long-lived storage of potentially sensitive natural-language content. Because this memory is designed for future retrieval, it can amplify accidental disclosure and cross-task contamination.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The session curation flow explicitly classifies user preferences, project context, and feedback for persistence, and later stores them in plain text. For a cross-session memory system, this creates a real data-retention risk: sensitive internal context or personal information may be accumulated on disk and exposed to other tools, users, backups, or future prompts.

Ssd 3

Medium

Confidence: 96% confidence
Finding: User corrections are stored directly as memory content with no filtering, so secrets, credentials, proprietary snippets, or sensitive instructions included in corrections could be written verbatim to disk. Because this skill is designed to reuse retained knowledge across sessions, unfiltered feedback persistence can propagate and repeatedly expose sensitive data.

Session Persistence

Medium

Category: Rogue Agent
Content: ## 📋 Skill Triggers Automatically create skill when: - ✅ 5+ tool calls in sequence - ✅ Recovered from error successfully - ✅ User corrected → fixed approach
Confidence: 88% confidence
Finding: create skill when: - ✅ 5+ tool calls in sequence - ✅ Recovered from error successfully - ✅ User corrected → fixed approach - ✅ Non-obvious workflow that worked - ✅ Repeated pattern detected (3+ times)

Session Persistence

Medium

Category: Rogue Agent
Content: # After completing a task node learning-loop.js extract --session=<session_id> # Create skill from workflow node learning-loop.js create-skill --name="my-skill" --description="What it does" # Periodic nudge (heartbeat)
Confidence: 81% confidence
Finding: Create skill from workflow node learning-loop.js create-skill --name="my-skill" --description="What it does" # Periodic nudge (heartbeat) node learning-loop.js nudge ``` ### Auto-Trigger (Integratio

Session Persistence

Medium

Category: Rogue Agent
Content: ### Skill Triggers Automatically create skill when: - ✅ 5+ tool calls in sequence - ✅ Recovered from error successfully - ✅ User corrected → fixed approach
Confidence: 86% confidence
Finding: create skill when: - ✅ 5+ tool calls in sequence - ✅ Recovered from error successfully - ✅ User corrected → fixed approach - ✅ Non-obvious workflow that worked - ✅ Repeated pattern detected (3+ times)

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal