ClawHub

daily-introspection

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about self-improvement, but it can run on a schedule, read conversation history, and change permanent agent rules before user review.

Install only if you intentionally want a scheduled agent self-review system that can inspect workspace history and alter long-term agent instructions. Safer use would disable automatic promotion, require proposed diffs and human approval before any writes to AGENTS.md, MEMORY.md, TOOLS.md, or .learnings files, and periodically review or delete .daily-introspection records. No artifact evidence showed credential theft, network exfiltration, hidden installation, or destructive commands, so this is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The weekly workflow directs the agent to promote lessons into AGENTS.md, MEMORY.md, and TOOLS.md automatically, which changes persistent system behavior rather than merely generating introspection output. Autonomous modification of core instruction files creates a self-modifying control loop that can entrench bad rules, expand privileges, or degrade safety over time without human review.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron instructions expand the scope of the daily task from introspection into modifying .learnings/ERRORS.md and other persistent records. That broadens the automation boundary and allows the agent to rewrite institutional memory based on its own interpretation of events, which can corrupt records or normalize incorrect conclusions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad phrases like autonomous self-improvement, rule refinement, and agent evolution, which can cause the skill to trigger in many routine contexts about review or improvement. Overbroad activation is risky here because the skill performs persistence and rule-changing actions, so accidental invocation can lead to unintended file access and system modification.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown instructs automatic writes to core rule files without any user-facing warning that persistent system behavior will be altered. This is especially dangerous because modifying AGENTS.md, MEMORY.md, or TOOLS.md can change future agent decisions and may create durable unsafe behavior beyond the current run.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron configuration instructs autonomous writing of introspection files and updates to learning records without a clear user-facing disclosure. Background scheduled modification of persistent files is dangerous because it can occur without active awareness, making harmful drift or privacy leaks harder to detect.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow instructs reading full conversation logs and state files, then producing written introspection artifacts and reports. Without minimization or redaction controls, sensitive user data from conversations or runtime state can be copied into persistent files or surfaced in reports, creating a clear data exposure path.

Ssd 3

Medium
Confidence
95% confidence
Finding
The cron instructions tell the agent to identify errors from daily activities and write final results based on collected sources, which may include sensitive conversation content. Because this occurs automatically and persistently, private data may be repeatedly extracted, summarized, and retained without user review or privacy safeguards.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal