Back to skill

Security audit

Self-Evolving Agent 🧠

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent self-analysis purpose, but it needs Review because it reads sensitive agent history, can run persistently, and its security claims understate network delivery and approval/apply behavior.

Install only if you are comfortable with this skill reading local agent transcripts and memory, running on a schedule or background monitor, and sending proposal text to configured delivery/LLM services. Prefer local/Ollama or provider none, avoid generic webhooks unless you control the endpoint, use --no-cron or uninstall/dry-run modes until reviewed, and manually inspect any approval path before allowing AGENTS.md changes or git commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (79)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document makes absolute privacy claims ('never transmits' and 'no data is sent to any remote server') that are contradicted elsewhere by outbound HTTPS requests and Discord delivery. Even if session transcripts are not sent directly, inaccurate security documentation can mislead users into granting access or enabling the tool under false assumptions about data handling.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The section states that all output is local only and no data is sent remotely, but then says the final proposal is delivered to a Discord channel by runtime. This contradiction creates a transparency and trust failure that can expose operational summaries or derived sensitive content to a third-party service despite the user's expectation of local-only behavior.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest states the skill never directly modifies AGENTS.md, yet the documented `sea approve <id>` command explicitly patches AGENTS.md and commits the change. This is a direct integrity and trust issue: operators may rely on a safety claim that is false and permit the skill in environments where automatic file modification should be prohibited.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety section says there is no code path that directly modifies AGENTS.md, but elsewhere the documentation explicitly defines an approval flow that performs in-place replacement and a git commit. Contradictory safety statements are dangerous because they undermine user risk assessment and can hide a real write path behind reassuring language.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This proposal promotes a dangerous anti-pattern by redefining safety as 'exec must always exit 0' and recommending constructs like `|| true` that suppress operational failures instead of handling them safely. In an agent skill that analyzes logs and proposes AGENTS.md changes, this can cause real errors, failed commands, or security-relevant conditions to be hidden from operators, undermining monitoring, incident response, and decision-making while giving a false appearance of success.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The roadmap explicitly proposes an approval workflow that applies changes directly to AGENTS.md and even creates git commits, which conflicts with the stated product contract that the skill only suggests changes and never edits directly. This is dangerous because operators may rely on the manifest's non-modifying guarantee while enabling a capability that can change governance or safety instructions in-place.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documentation explicitly states that `sea approve <id>` patches `AGENTS.md` and performs a `git commit`, which contradicts the declared skill scope of proposal-only behavior. This kind of scope drift is dangerous because operators may grant the skill trust or permissions based on the manifest while the documented workflow implies direct repository modification, enabling unintended or unauthorized changes.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The end-to-end workflow shows approval leading to `AGENTS.md` patching, `git commit`, and downstream state changes, again conflicting with the stated promise that the skill only proposes changes. In a security-sensitive agent ecosystem, this mismatch increases the chance of hidden write capabilities being normalized and approved by users under false assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document explicitly depicts a flow where a user types 'μ μš©ν•΄μ€˜', AGENTS.md is updated, and an 'μžλ™ 컀밋' is created, which directly contradicts the skill's stated safety model of proposal-only behavior. Even though this is marketing content rather than executable code, it normalizes and may incentivize implementation of self-modifying behavior that bypasses human review controls.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Phrases such as the agent 'evolves its own rules' and similar automatic-rewrite messaging overstate the system's autonomy and conflict with the documented safety gate that prohibits automatic modification. This can mislead operators and users into trusting or enabling a more autonomous and risky mode than intended.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill metadata says it only proposes AGENTS.md improvements and never edits directly, but this document recommends applying changes directly to AGENTS.md. That mismatch can cause downstream agents or operators to over-trust the skill's non-mutating claim and then permit or normalize direct configuration edits without the expected safeguards.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document materially expands the skill from self-analysis into fleet-wide analysis and coordinated updates across multiple agents' AGENTS.md files. In an agent skill, this scope expansion increases blast radius: a faulty rule, poisoned analysis, or unsafe recommendation can propagate across the whole fleet rather than staying isolated to one agent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation presents the system as proposal-only and approval-gated, but elsewhere describes fleet sync and bulk update workflows, creating a dangerous ambiguity about whether the skill can indirectly modify multiple agents. Ambiguous safety boundaries are risky because operators or downstream automation may rely on the safer description while the architecture still normalizes broad cross-agent change operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script reads and analyzes MEMORY.md, which can contain broader long-term personal or operational context unrelated to the stated self-log analysis purpose. This creates an unnecessary data exposure surface and violates data minimization, especially because the contents are then summarized into the output JSON that may be consumed by other tools or users.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script reads ~/.openclaw/cron/jobs.json even though this source is not declared in the documented read set, which undermines operator transparency and expands collection beyond the stated scope. Hidden telemetry collection is risky because cron state can reveal operational schedules, failures, and internal job metadata that are not needed for the advertised purpose.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The report explicitly instructs users that a βœ… reaction means 'AGENTS.md automatic application + git commit', which contradicts the skill's stated safety boundary of proposal-only behavior. Even if this script itself does not perform the modification, presenting automatic-apply behavior can trigger unsafe downstream automation or mislead operators into authorizing changes they did not expect, undermining human review and change-control safeguards.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The security manifest claims to enumerate exported variables, but it omits credential-bearing outputs such as SEA_SLACK_WEBHOOK_URL, SEA_TG_BOT_TOKEN, SEA_TG_CHAT_ID, and SEA_WEBHOOK_URL that are actually parsed from config and exported later. This creates a documentation/control gap that can mislead reviewers and operators about secret exposure, increasing the chance those values are sourced into broader shell contexts, logged, or inherited by subprocesses without appropriate handling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it only proposes AGENTS.md improvements and never performs direct modifications, but this script actively creates, updates, and removes entries in the local cron registry. That mismatch is security-relevant because users and reviewers may grant trust or elevated permissions based on the claimed non-mutating behavior, while the script installs persistent scheduled execution that can repeatedly run the skill without further review.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security manifest claims there are no external endpoints and no network activity, yet the cron job it registers is configured with Discord delivery. Even if this script does not itself perform the HTTP request, it sets up downstream network exfiltration of job output to an external service, which can mislead operators about data-flow and cause sensitive local output to be sent off-host unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script goes beyond a passive 'proposal-only' role by generating persistent configuration, invoking register-cron.sh, and calling validation/operational scripts. This creates durable behavior changes on the host and can cause ongoing automated execution, which is dangerous when users are told the skill never directly modifies behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security manifest states that no external endpoints are called and that networking is absent, yet the script solicits and stores webhook URLs and Telegram bot credentials for later delivery. This is a material mismatch that can mislead reviewers and operators about data egress and secret handling, increasing the chance that sensitive integrations are configured without proper scrutiny.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script adds outbound delivery capabilities to Slack, Telegram, and arbitrary webhooks, which materially expands the skill's ability to transmit generated content off-host. In the context of a self-analysis/proposal skill, this creates a real data exfiltration path for proposal text and any sensitive information embedded in it, even if the feature appears operational rather than overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The generic webhook handler permits posting proposal contents to any URL specified in configuration, giving the skill arbitrary outbound network capability unrelated to its core analysis role. That flexibility significantly increases abuse potential because a compromised config, malicious operator, or unexpected runtime environment can redirect potentially sensitive content to attacker-controlled endpoints.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This helper transmits stdin prompt content to external LLM providers, which can include log-derived agent data. Even if the skill only 'proposes' changes and never edits files directly, sending internal logs or behavioral traces to third-party APIs creates a real confidentiality and data-governance risk that contradicts the narrow stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script supports authenticated calls to Anthropic and OpenAI using environment-provided API keys, enabling external processing of potentially sensitive prompts. That capability is broader than a strictly local self-log-analysis helper and increases exposure of internal data, especially because stdin is forwarded wholesale with no classification or sanitization.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal