Back to skill

Security audit

Heleni Self Learning

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives the agent broad, persistent self-modification and memory-writing authority with weak privacy and approval boundaries.

Install only if you intentionally want an agent to keep long-term learning records and update its own operating instructions. Require manual review before any write outside .learnings, do not allow passwords, tokens, cookies, or credentials to be stored in MEMORY.md, and periodically review or delete logs that contain private or sensitive context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The reflection phase directs the agent to read broadly across identity files, memory, skills, configuration, and cron jobs before making changes, which exceeds the narrow scope implied by a self-learning/logging skill. This creates unnecessary access to unrelated sensitive data and increases the chance of over-collection, prompt-scope creep, or unintended modification decisions based on information the task did not require.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description uses very broad triggers such as corrections, failures, better approaches, recurring patterns, and reflection sessions, making activation easy in ordinary conversations. Over-broad activation increases the likelihood that the agent persistently logs or modifies behavior in situations where the user did not intend durable retention or system changes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to log events before replying is underspecified and encourages automatic persistence of interaction details without first checking relevance, consent, or sensitivity. In practice this can cause routine messages, corrections, or sensitive disclosures to be written to disk simply because they occurred during a conversation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The promotion guidance explicitly suggests placing contact or credential information into MEMORY.md, normalizing long-term storage of secrets and sensitive identifiers. Storing credentials in general workspace memory without strict handling controls materially raises the risk of secret exposure, misuse, later retrieval by unrelated tasks, or accidental commit/sync.

Ssd 3

Medium
Confidence
84% confidence
Finding
The skill is designed around persistent learnings and behavioral updates across .learnings and configuration files, which encourages retention of owner-provided information over time. Without strong boundaries, this persistence can collect more context than necessary and transform ephemeral conversation details into durable records.

Ssd 3

Medium
Confidence
93% confidence
Finding
Mandating logging before replying encourages automatic capture of owner inputs without review, which can sweep sensitive details into persistent storage during normal support or correction flows. This is especially risky because users may reveal personal, proprietary, or secret information while explaining what went wrong.

Ssd 3

Medium
Confidence
90% confidence
Finding
The log template solicits trigger, context, root cause, and future corrective behavior, which invites detailed capture of interaction history and derived rules from user exchanges. This can preserve unnecessary private context and create durable summaries of sensitive scenarios far beyond what is needed for improvement.

Ssd 3

High
Confidence
99% confidence
Finding
The table explicitly routes contact or credential information into persistent memory, creating a direct path for storing sensitive data in a general-purpose file. Credentials are particularly dangerous because they can enable account compromise, lateral access, and long-term exposure if the workspace is read, synced, or modified by other processes.

Ssd 3

Medium
Confidence
91% confidence
Finding
The deep system scan instructs reading MEMORY.md and all active skills/configuration broadly, which increases exposure to accumulated sensitive data even when only a narrower diagnosis is needed. Broad inspection raises the blast radius of any mistaken retention, summarization, or later use of information from unrelated files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.