Back to skill

Security audit

learn-from-experience

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it can persist learned user preferences and automatically write them into multiple agents' global startup configuration files.

Install only if you want persistent agent memory. Before enabling sync, review what will be stored, restrict syncing to the agent configs you actually want changed, back up global config files, audit ~/learn-from-experience regularly, and review the optional Proactivity skill separately before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat file goes beyond a passive health/status check by instructing the agent to trigger a global config sync when the cross-session index is stale. That creates a side effect during a routine check and can propagate state across sessions or scopes without an explicit user action, increasing the chance of unintended persistence or privilege expansion.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The heartbeat logic depends on persistent files under ~/learn-from-experience/ to determine last-run markers and action notes, which makes a nominal health check rely on cross-session state. Even if intended for maintenance, this can hide persistent behavioral changes and create opportunities for stateful manipulation or confusing, non-transparent agent behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill is designed to automatically detect multiple agent products and write into their home-directory global config files, which exceeds the narrow scope of a memory/reflection feature and creates cross-application side effects. This is dangerous because it silently propagates learned content into unrelated trusted configuration surfaces, potentially altering future agent behavior across products without clear, per-target consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Auto-detecting installed agent products and syncing to all discovered global configs broadens the skill's authority beyond what users would reasonably expect from a 'learn from experience' capability. Because these configs are persistent and influential, this behavior can become a privilege expansion path that changes agent behavior system-wide and across sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The setup flow expands beyond the declared skill boundary by instructing installation of an additional `Proactivity` skill and to immediately continue its setup. This creates a supply-chain and scope-creep risk: users consenting to one skill may unintentionally authorize execution of another skill with different behaviors, instructions, and persistence effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic writes to persistent local state and the user's global agent config without requiring an explicit confirmation at the point of modification. Because those files are loaded across sessions, silent writes can alter future agent behavior in a way the user may not expect, creating a persistence and integrity risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The audit/deletion triggers are defined in broad natural language, which can cause accidental activation when users use similar phrasing conversationally. In a memory-management skill, ambiguous destructive or disclosure actions are risky because they can lead to unintended data exposure or deletion without clear confirmation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The kill-switch phrase "忘记一切" is a vague free-form command with no scope or disambiguation, so the system may erase memory when the user is being figurative, testing behavior, or referring to a subset of data. Because this skill handles persistent cross-session memory, ambiguous deletion semantics can cause unintended destructive actions and operational instability.

Missing User Warnings

High
Confidence
97% confidence
Finding
Exporting all stored memory to a file before deletion creates a new persistence and exfiltration channel for potentially sensitive data, especially in a skill designed for cross-session learning. If the export is written to disk or logs without strong controls, deletion actually increases exposure by duplicating the very data the user asked to remove.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file content is entirely in Chinese and describes user-facing logging templates without any indication that the skill is intentionally locale-specific or that the user opted into Chinese. In a general-purpose agent skill, forcing a language can mislead users, reduce transparency of stored corrections, and cause the agent to persist or present information in a language the user cannot review, increasing the risk of hidden or misunderstood behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs creation and ongoing modification of files under the user's home directory and states that confirmed preferences are auto-synced to global config, but the surfaced description does not clearly warn the user about this persistence and cross-session propagation. That creates a consent and integrity risk: a user may invoke the skill expecting ephemeral reflection, while it actually writes durable state and alters future agent behavior across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file explicitly states that the agent will load and automatically modify `~/learn-from-experience/memory.md`, including adding entries and compacting content, without any requirement for user consent, review, or change visibility. A skill that persistently edits a user-controlled file across sessions creates a stateful side effect that can silently store incorrect, sensitive, or manipulative instructions and influence future behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The stale-detection logic makes automatic sync activation broad and triggerable on skill activation whenever memory is newer than the last sync state. In markdown instructions, that ambiguity can cause writes to occur in situations the user did not intend, increasing the chance of unexpected persistence and silent configuration drift.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document specifies automatic writes to global configuration files without an upfront warning or explicit consent gate, which is especially risky because these files affect future agent behavior across sessions. Silent persistence into trusted config locations can embed incorrect, sensitive, or manipulative instructions that are hard for users to notice and remove.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup directs creation and later modification of persistent files under the user's home directory, including agent global config files, without an up-front warning about filesystem writes, cross-session persistence, or what data will be stored. In a skill designed to capture corrections and sync them globally, this is especially sensitive because it can silently alter future agent behavior across projects and sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting learned preferences and corrections across sessions via global config creates a durable semantic memory channel that can be influenced by user or prompt content. If incorrect, sensitive, or adversarial content is promoted into always-loaded config, it can steer future sessions persistently and be difficult for users to notice or unwind.

Ssd 3

Medium
Confidence
97% confidence
Finding
Automatic logging of corrections and statements like 'remember that I always...' establishes a data-retention channel for semantically rich user information. Even with stated boundaries, the heuristic capture of user utterances risks storing sensitive personal, behavioral, or project-specific data that may later influence model behavior or be exposed through memory export and sync features.

Ssd 3

High
Confidence
99% confidence
Finding
The cross-session sync protocol explicitly instructs copying learned preferences into always-loaded global config, turning mutable memory into persistent control-plane input. This materially increases risk because any poisoned, mistaken, or privacy-sensitive entry can affect every future session automatically, and syncing to multiple products broadens the blast radius.

Ssd 3

Medium
Confidence
96% confidence
Finding
The deletion workflow explicitly instructs exporting all memory for review before erasure, which creates a plain-language data disclosure path at the exact moment the user expects privacy protection. In this skill context, where memories may include cross-session behavioral data, that step materially increases the risk of exposing personal or sensitive information to files, logs, or unintended recipients.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.