Back to skill

Security audit

Self Improving Agent 1.0.1

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent self-improvement purpose, but it encourages durable logging and promotion of conversation and error details without enough consent, redaction, or scope limits.

Install only if you want durable project memory. Keep .learnings local unless reviewed, redact secrets and personal or customer data, avoid global always-on hooks unless you have reviewed the scripts and really want every prompt covered, and require explicit human review before promoting entries into CLAUDE.md, AGENTS.md, Copilot instructions, or new skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document claims the scripts 'only output text' and 'don't modify files or run commands', but the setup explicitly configures shell commands to be executed as hooks. This is dangerous because it downplays the execution risk of automatically invoked scripts, which may cause users to grant trust or permissions they would otherwise scrutinize.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The automatic triggers are based on common conversational phrases such as corrections and requests, which can cause routine user messages to be persisted without meaningful user intent or review. In this skill, that broad capture increases the likelihood of storing sensitive conversational content in `.learnings/` files and normalizes surveillance-like logging behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs persistent logging of learnings, errors, and corrections to markdown files but provides no warning about secrets, personal data, tokens, or proprietary content that may appear in user interactions or tool outputs. Because the storage target is durable project-local memory, sensitive information can be retained, indexed, committed, or later surfaced to other agents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The error template explicitly tells users to record raw error output plus input and environment context, all of which commonly contain credentials, connection strings, file paths, internal hostnames, stack traces, or customer data. Persisting such material in plain markdown creates a straightforward path to accidental disclosure through source control, shared workspaces, or later agent retrieval.

Vague Triggers

Medium
Confidence
90% confidence
Finding
An empty matcher causes the hook to trigger on every prompt, creating a broad always-on execution path for the configured script. In a self-improvement skill, this increases attack surface and persistence because any compromised or modified hook script will run continuously across normal usage.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The user-level configuration recommends global activation, which broadens the hook's scope across all projects and sessions without strong constraints. This makes accidental misuse, data exposure, or persistence of maliciously altered scripts more dangerous because the hook is no longer limited to a single trusted repository.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex example uses an empty matcher, so the hook executes for every prompt without contextual limitation. In agent tooling, unconstrained automatic execution increases the chance that sensitive prompts, untrusted repositories, or modified local scripts trigger behavior outside the user's intent.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs agents to automatically persist user corrections, requests, and contextual inputs into local knowledge files, which can capture sensitive user-provided data in plain language. Because this is framed as automatic behavior tied to everyday dialogue, the risk is not theoretical: normal interactions may be transformed into durable records without informed consent or minimization.

Ssd 3

Medium
Confidence
93% confidence
Finding
The promotion workflow encourages moving learned content from `.learnings/` into shared memory surfaces like `CLAUDE.md`, `AGENTS.md`, and Copilot instructions, which broadens exposure and makes conversation-derived information part of future agent context. This creates a durable propagation channel where one accidental capture can be replicated across files and repeatedly presented to tools and collaborators.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.