ClawHub

Openclaw Self Improving Agent 3.0.1

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it asks agents to keep durable memories and inject them into future sessions with broad triggers and limited privacy controls.

Install only if you intentionally want agent memory that can persist across sessions. Avoid global every-prompt hooks, review entries before promotion into instruction files, and redact secrets, personal data, raw transcripts, tokens, command output, and proprietary details before storing or sharing learnings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill markets itself as a passive learning/logging aid, but its instructions also introduce startup injection, per-prompt reminders, automatic error scanning, and skill extraction/scaffolding behaviors. This mismatch is security-relevant because operators may approve or deploy it assuming narrow scope, while it actually expands agent influence and persistence across sessions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section asserts that the scripts 'only output text' and 'don't modify files or run commands,' but the same file configures them as command hooks and also instructs users to execute another script directly. That contradiction can mislead users into granting trust and enabling automation under false assumptions, increasing the chance that hook scripts execute with broader privileges or side effects than expected.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance is broad enough that routine failures, corrections, or ordinary discussion can invoke the skill in many normal interactions. In an agent environment, over-broad triggers can cause constant background logging and policy drift, increasing the chance of storing sensitive context or performing actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The document directs the agent to 'automatically log' based on common phrases like corrections and requests that frequently occur in everyday conversation. That creates a real risk of unsolicited retention of user statements, including inaccurate, sensitive, or context-specific content, without meaningful user awareness.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The main SKILL.md template asks authors to include trigger conditions, but it does not require them to be specific, bounded, or include non-trigger cases. In a self-improving agent context, ambiguous trigger language can cause over-broad skill activation, making the agent apply procedural or corrective guidance in unintended situations and potentially chain into unsafe actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The minimal template's description field only asks what the skill does and when to use it, without enforcing precise invocation scope, exclusions, or safety constraints. Because this repository is for a self-improving agent that may operationalize learnings into reusable behaviors, vague descriptions increase the likelihood of accidental activation and incorrect autonomous handling of future tasks.

Vague Triggers

Low
Confidence
78% confidence
Finding
The script-oriented template documents executable helpers but does not require warning text around when scripts may be safely invoked, what permissions they need, or what side effects they have. In an agent skill ecosystem, that omission can make a skill description implicitly authorize script execution in situations where the environment, inputs, or trust boundaries are inappropriate.

Vague Triggers

Medium
Confidence
93% confidence
Finding
An empty matcher causes the UserPromptSubmit hook to run for every prompt, creating a very broad trigger surface. In this skill context, that means unscoped automatic execution of a local script on all interactions, which increases exposure to unwanted behavior, prompt-context pollution, and abuse if the hooked script is altered or behaves unexpectedly.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The user-level example installs the hook globally with an empty matcher, so the script will run across all sessions and projects. That broad persistence increases the blast radius of any script bug, compromise, or unexpected output, especially because it affects unrelated repositories and tasks rather than a single reviewed project.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Although labeled 'minimal,' this example still uses an empty matcher, so the activator runs on every prompt rather than only on error or learning-relevant scenarios. The reduced number of hooks lowers overhead, but not the core risk of indiscriminate execution and unnecessary context injection.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Codex CLI example repeats the same empty-matcher configuration, carrying forward the same always-on behavior into another tool ecosystem. Replicating the pattern across tools makes the unsafe default more likely to spread and be adopted without users understanding the invocation scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly recommends promoting learnings from ephemeral session notes into persistent workspace files such as SOUL.md, TOOLS.md, and AGENTS.md without any guidance to scrub secrets, personal data, or sensitive project details first. In a self-improving agent context, this creates a realistic risk of long-term retention and wider re-injection of sensitive information across future sessions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file documents cross-session history reading, messaging, and agent spawning features as normal workflows but does not warn that these can expose prior session content or propagate sensitive data across contexts. In an agent framework that already relies on injected workspace state, normalizing these operations without access-control and privacy guidance increases the chance of unintended disclosure.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill encourages sharing learnings across sessions using transcript/history tools and persistent workspace files, but it provides no data minimization, consent, or access-control guidance. That can expose user-provided content beyond the original session boundary, turning transient chat data into durable cross-session memory.

Ssd 3

Medium
Confidence
97% confidence
Finding
The logging templates ask for full context, inputs, parameters, and raw error/output details, which commonly contain secrets, tokens, file paths, personal data, or proprietary prompts. Persisting this information to markdown files substantially increases the blast radius of any accidental disclosure or later compromise.

Ssd 3

Medium
Confidence
96% confidence
Finding
Automatically detecting and logging corrections, feature requests, and user-provided information converts normal conversational content into persistent records without a consent checkpoint. Because these triggers are broad, the skill can silently retain sensitive preferences, business context, or other user-supplied details that were never intended for durable storage.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
84% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal