myskill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement logging skill, but it needs review because it can persist sensitive conversation and error details into long-lived agent memory without enough scoping or redaction guidance.

Install only if you want an agent to maintain durable local memory. Keep .learnings local or gitignored for sensitive projects, redact secrets and customer or personal data before logging, avoid global always-on hooks unless you trust the scripts and scope, and review every entry before promoting it into CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, or Copilot instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document's security section materially understates risk by claiming the scripts only output text and do not run commands, while the examples explicitly configure them as command hooks and also instruct direct execution of a shell script. This can cause operators to trust and deploy executable hook scripts with insufficient scrutiny, increasing the chance of unintended code execution or privilege misuse.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation guidance is broad enough to activate during many normal interactions, which can cause excessive logging, persistence, and instruction-file modification beyond what the user intended. In a memory-oriented skill, over-triggering increases data capture and widens the blast radius of mistakes because ordinary chat content may be turned into durable artifacts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are generic everyday language, so the skill may infer logging or persistence from ordinary conversation rather than true errors or confirmed corrections. Because the skill stores and promotes information across sessions and files, false activations can silently preserve sensitive or low-quality context and influence future agent behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The templates instruct the agent to record detailed user context, inputs, parameters, environment details, and raw error/output without any redaction guidance. These fields commonly contain secrets, tokens, personal data, file paths, hostnames, or proprietary content, so persistent plaintext logging can become a direct confidentiality risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: An empty matcher causes the hook to fire for every prompt, creating a very broad trigger surface for an automatically executed command. In a self-improvement skill, this increases exposure of all user interactions and can lead to pervasive data capture, prompt contamination, or unnecessary execution of local scripts on every session event.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The user-level configuration applies automatic command-hook execution globally with an empty matcher, extending the behavior across all projects and sessions. This broad scope magnifies the impact of any script defect, unexpected data exposure, or future script modification because it persists outside the immediate project context.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Codex CLI example also uses an empty matcher, so the command hook runs for all prompts without contextual restriction. In practice this creates unnecessary execution frequency and broadens the chance that sensitive prompt content or environment state is processed by the hook in situations unrelated to learning capture.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill encourages sharing learnings across sessions and reading other session transcripts, but it does not define access controls, consent checks, or data minimization boundaries. Cross-session transcript access can expose unrelated user data or privileged context, making this materially more dangerous than ordinary local note-taking.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The logging schemas explicitly ask for full error text, user context, command inputs, and parameters, which are common carriers of credentials, internal URLs, stack traces, and proprietary data. Persisting this material in markdown files creates durable plaintext records that can later be committed, indexed, or shared accidentally.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The advice to 'promote aggressively' into persistent instruction files increases the risk that user-derived or sensitive operational details get copied into high-authority context files that shape future behavior. Once promoted, the information becomes more durable and influential, making accidental disclosure or instruction poisoning harder to unwind.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal