Back to skill

Security audit

Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears non-malicious, but it should be reviewed because it can install broad prompt hooks and encourages writing persistent agent behavior into high-trust memory files.

Install only if you want persistent self-improvement logs and prompt-memory promotion. Prefer project-level hook configuration, add a narrower matcher where possible, review the shell scripts before enabling hooks, and require human approval before writing lessons into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, or other prompt-injected files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states the scripts 'only output text' and 'don't modify files or run commands,' but the hook configuration explicitly invokes shell scripts via command hooks. This misleading assurance can cause users to underestimate execution risk and install always-on hooks that run with the agent's permissions, increasing the chance of unsafe behavior if the scripts are changed, compromised, or misunderstood.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide expands a narrow 'self-improvement' skill into writing or promoting content into high-trust workspace prompt files such as AGENTS.md, SOUL.md, and TOOLS.md. That creates a persistence and prompt-injection pathway where transient errors, untrusted observations, or adversarial inputs can be converted into durable behavioral instructions that affect future sessions beyond the skill’s stated logging purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Documenting use of sessions_history allows the skill ecosystem to access other session transcripts, which may contain secrets, sensitive user data, or unrelated task context. Because transcript reading is not necessary for the declared self-improvement function, it unnecessarily broadens data access and creates a cross-session exfiltration and privacy risk if a compromised or overly-permissive skill uses it.

Vague Triggers

Medium
Confidence
86% confidence
Finding
An empty matcher causes the hook to fire on every prompt, creating broad, always-on execution of the configured script. In a self-improvement skill, this expands exposure to all user interactions and increases the chance of unnecessary data handling, prompt leakage into logs or derived artifacts, and performance or behavioral side effects across unrelated tasks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
User-level global activation enables the hook across all repositories and sessions without meaningful scope boundaries. That broad deployment magnifies the consequences of script bugs, future script modifications, or accidental capture of sensitive prompts from unrelated projects, making the self-improvement context more dangerous because it is designed to observe failures and prompts broadly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The Codex example also uses an empty matcher, so the hook activates for every prompt in that environment. As with the Claude examples, this creates unnecessary broad monitoring and script execution, which is riskier in a learning-capture skill because it can process prompts from tasks that do not need the feature.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.