Dobby Harness Self-improving Coding Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks agents to persist sensitive session and environment context without enough safeguards.

Review the memory and session-state behavior before installing. Do not let it store raw environment variables, tokens, secrets, private paths, or detailed internal reasoning unless you have added redaction, retention limits, and file-permission controls. Treat generated CI/CD or PR-commenting workflows as draft output requiring human review before enabling real repository or deployment side effects.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document presents contradictory security claims: earlier sections state file access controls are missing and pending remediation, while the compliance section marks broken access control as satisfied. This can mislead operators, reviewers, or downstream agents into believing a known control gap is already addressed, causing insecure deployment or delayed remediation.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The report labels the default configuration as secure despite documenting missing encryption, missing file access controls, and absent rate limiting. This creates a false sense of safety that may result in insecure systems being approved, inherited as baseline configuration, or excluded from needed hardening work.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The example's error-handling path attempts to persist recovery state using `state` from outside its block scope, so the catch block would fail or persist nothing useful. In a self-improvement and recovery system, broken failure persistence undermines crash recovery guarantees and can cause task loss, inconsistent state, or misleading operator assumptions during incidents.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes generic phrases such as "工作流", "代码审查", and "测试生成" that are common in normal developer conversations. In a skill-routing system, overly broad triggers can cause unintended activation, leading the skill to run in contexts the user did not intend and potentially exposing workspace context or influencing actions unexpectedly.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The document advocates persistent WAL logs, task buffers, learning records, and error retention but does not mention data classification, retention limits beyond one buffer example, redaction, or user/operator notice. In this context, task state and errors may contain source code, secrets, identifiers, or sensitive operational metadata, so indiscriminate persistence increases privacy and data-exposure risk if files are accessed, reused, or retained too long.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents an automated code review workflow with `autoComment: true` and later exposes `autoCommit`/`autoComment` options, but it does not clearly warn that these settings can create repository-side effects. In an agent skill, undocumented write actions increase the risk of unintended comments, commits, or workflow-triggering changes being performed in user repositories.

Missing User Warnings

High

Confidence: 78% confidence
Finding: This workflow describes generating CI/CD configs, Docker artifacts, and deployment scripts without prominently warning that these files can materially change build, runtime, and deployment behavior. In an agent skill context, silently producing deployment-related files is more dangerous than ordinary documentation because downstream automation may execute them and affect production integrity. The risk is amplified by the example targeting production workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly captures environment variables, workspace path, current directory, related files, and user/project context in persisted session state without any minimization, masking, or sensitivity guidance. In practice, these fields commonly contain secrets, internal paths, tokens, usernames, and other operationally sensitive metadata that could be exposed through logs, memory sync, backups, or later prompts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The template asks for detailed thought process, decision rationale, problems, and solutions to be retained as session state. Persisting internal reasoning can leak sensitive deliberations, hidden policy logic, proprietary analysis, or user data derived during problem-solving, and it increases the attack surface if the state is later retrieved or exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal