Security audit

Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it broadly observes agent activity, stores persistent memory, and can change other skills, so it needs careful review before installation.

Install only if you intentionally want a persistent self-improvement layer. Keep automatic hooks disabled for sensitive projects, require visible diffs and explicit approval before any skill changes, and define how memories and logs are redacted, reviewed, retained, and deleted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (14)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manual trigger phrase set includes very broad natural-language commands such as '总结教训' and similar self-improvement prompts that could plausibly appear in ordinary conversation. In a self-improving agent context, accidental activation is more dangerous because the skill is designed to learn from prior interactions and potentially influence future behavior or code changes, so an unintended trigger can cause unwanted memory writes or self-modification workflows.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The documented trigger list provides broad activation phrases without any scope boundaries, authentication, or exclusion guidance, which increases the chance of ambiguous or accidental invocation. Because this skill is explicitly 'self-improving' and learns from all skill experiences, overly permissive triggering expands the attack surface for prompt injection, unintended persistence, and unauthorized behavior changes.

Vague Triggers

High

Confidence: 93% confidence
Finding: The README defines automatic triggering after ANY skill completes, which creates an unbounded execution scope for a component that performs learning, persistence, and skill updates. In the context of a self-improving agent, this broad trigger surface increases the chance of propagating bad inferences, processing sensitive data from unrelated workflows, and causing unintended self-modification across the environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The overview presents continuous learning and codebase evolution as features but does not clearly warn users that the skill writes persistent memory and may automatically update other skills. That missing disclosure is security-relevant because users may invoke or install it without understanding the persistence and self-modification behavior, undermining informed consent and safe deployment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The hook examples pass raw tool input, tool output, and exit codes into shell scripts without prominently warning that potentially sensitive content may be captured and processed automatically. Because the skill is designed to learn from all interactions, this documentation effectively encourages broad collection of operational and user-provided data that may include secrets, proprietary code, or personal information.

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill is designed to activate across effectively all skill events, creating a pervasive always-on behavior with no meaningful scoping. In the context of a skill that can read, write, edit, run Bash, and modify other skills, this dramatically expands the attack surface and enables unintended propagation, cross-skill interference, and opportunistic capture of sensitive context.

Vague Triggers

High

Confidence: 98% confidence
Finding: Triggering on 'Any skill starts' and 'Any skill completes' gives this skill universal reach over unrelated workflows. Combined with memory collection and update behavior, it can silently observe and influence tasks far outside user intent, making the context especially dangerous because the skill is explicitly self-modifying and repository-writing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill announces automatic updates to skills and memory but does not foreground the privacy and repository-modification consequences. In practice, users may not realize that normal interactions can be persisted and codebase files altered, undermining informed consent and increasing the risk of unreviewed changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The appendix explicitly documents automatic background execution, session logging, and persistent memory storage under ~/.claude/memory, but it provides no notice, consent model, retention limits, or guidance on handling sensitive data. In a self-improving agent that learns from all skill experiences, this increases the chance that prompts, outputs, errors, and potentially secrets or personal data are silently retained and reused across sessions.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The documentation explicitly states that the agent learns from every skill interaction and continuously updates the codebase, establishing a broad data collection and retention pathway in natural language. In a self-improving skill, that context makes the issue more dangerous because experiences from many unrelated tasks can be centralized, retained, and later used to influence behavior or modifications across the system.

Ssd 3

High

Confidence: 97% confidence
Finding: The hook configuration forwards raw TOOL_INPUT and TOOL_OUTPUT to scripts, creating a direct pathway for capture, analysis, and persistence of full session content. In this skill's context, where captured data feeds learning and future updates, this can expose credentials, source code, prompts, and other sensitive material far beyond the original task boundary.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill broadly logs session starts, completions, and errors across all skill activity, implying retention of user-provided context without sensitivity boundaries. Because the skill is universal and hook-based, this creates systemic context leakage risk, including accidental capture of secrets, proprietary code, credentials, and private prompts.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The memory design stores detailed task descriptions, situations, root causes, lessons, and user feedback in persistent files without rules for sanitization or exclusion of sensitive data. In a universal skill, that can turn transient operational context into a durable local data store containing confidential information that future runs may expose or misuse.

Ssd 3

High

Confidence: 99% confidence
Finding: The hook wiring passes raw tool input and output directly into shell scripts, which can capture full command arguments, file contents, prompts, command results, and failures in plain language. This is especially dangerous because it applies to Bash, Write, and Edit operations, making secret exfiltration-to-disk and broad context leakage highly likely in normal use.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal