Self Improving Agent 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it tells agents to persist conversation-derived details and promote them into future agent instructions without enough user control or privacy safeguards.

Install only if you want durable project memory. Keep .learnings local or review it before committing, redact secrets and customer or personal data, avoid global hooks unless you really want every prompt covered, and require an explicit review before editing CLAUDE.md, AGENTS.md, Copilot instructions, or creating new skills from logged content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document's security section understates the trust boundary by saying the scripts only output text and do not run commands, while the configuration explicitly installs them as command hooks. This can mislead users into granting broad trust to executable scripts that run automatically in response to prompts or tool events, increasing the chance of unsafe deployment or insufficient review.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The automatic triggers are overly generic and can fire on normal conversation patterns like corrections or capability questions. In the context of a skill that persistently writes learnings, errors, and user context to disk, this creates a realistic risk of unnecessary retention of conversational content without deliberate user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to write learnings, corrections, and error context into local markdown files but provides no privacy warning, redaction guidance, or consent checkpoint. Because these logs may include conversation details, environment information, or operational context, users can unknowingly persist sensitive data to disk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly describes tracking learnings in the repository as shared knowledge without warning that these entries may contain sensitive user, system, or business information. Once committed, such information may be exposed to all collaborators, CI systems, forks, and long-term version history, greatly increasing blast radius.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An empty matcher causes the activator hook to run on every prompt, creating an unnecessarily broad automatic execution surface. In a self-improvement skill, this means untrusted prompt content can repeatedly trigger helper scripts, increasing exposure to denial-of-service, noisy context injection, or accidental processing of sensitive inputs across all sessions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The user-level configuration enables the hook globally without meaningful trigger constraints, so the script will execute across all projects and prompts. That broad scope increases the blast radius of any script bug, prompt-triggered abuse, or future modification of the referenced script, especially because it runs in many unrelated repositories and contexts.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill broadly instructs agents to persist user corrections, requested capabilities, and conversation-derived context to local files. This creates a standing data-retention mechanism for potentially sensitive natural-language content, including proprietary information, personal data, credentials mentioned in errors, or internal plans, without necessity or minimization.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The learning template asks for 'Full context' and allows conversation and user feedback as sources, encouraging agents to retain more content than needed for troubleshooting or improvement. This increases the chance that sensitive prompts, business logic, personal information, or confidential text are copied into durable files.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The error template directs logging of input parameters and environment details, both of which frequently contain secrets, access tokens, internal hostnames, customer identifiers, or sensitive operational state. Persisting such data in markdown files creates clear leakage risk, especially if the files are later shared or committed.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The feature-request template asks agents to record what the user wanted and why they needed it, which can preserve sensitive business rationale, roadmap details, or personal context. Because the information is not strictly necessary in full fidelity, the template encourages over-collection and long-term retention.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The automatic logging rules create a default behavior of retaining conversation content whenever the user corrects the agent or provides new information. That makes ordinary dialogue a trigger for persistent storage, which is dangerous because users are unlikely to expect that their corrections or clarifications become saved records.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal