Back to skill

Security audit

Reflect

Security checks across malware telemetry and agentic risk

Overview

This self-improvement skill is not malicious, but it can persist conversation-derived learnings globally and write live agent or skill files, so it needs user review before installation.

Install only if you want an agent to keep durable learning records and propose persistent behavior changes. Review every proposed diff before approving, avoid enabling auto-reflection unless you are comfortable with files being created during compaction, and periodically inspect or delete ~/.claude/reflections, ~/.reflect, and any generated .claude/skills entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The logged plan expands a reflection feature into broad filesystem operations, including creating project and global reflection stores and writing cross-session artifacts. In an agent context, this increases the data collection surface and can persist sensitive conversation-derived content beyond the immediate task, which is risky even if framed as a productivity feature.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Global reflection archive management is broader than the skill's stated purpose of learning from corrections. This creates a durable, centralized repository of user and session-derived metadata that could be mined later, increasing confidentiality and privacy risk if the archive is exposed or misused.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code writes reflection metadata into a global store under the user's home directory and a cross-project by-project archive, which expands data persistence beyond the current project boundary. Even if intended for convenience, this creates cross-project data aggregation and retention that can expose sensitive project names, paths, and reflection contents to unrelated contexts or future runs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The per-agent global learnings file accumulates quoted user/session material and proposed additions in a durable dossier keyed by agent name. This can create a long-lived cross-project memory store containing sensitive corrections or content fragments that were only appropriate for a single project or session.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script can directly create a new skill on disk rather than merely proposing one, which gives it modification capability over agent behavior files. In a self-improvement skill, that increases the risk of persistence, unauthorized behavior changes, or planting unsafe instructions through generated content.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The proposed triggers include broad natural-language phrases such as "review session," "what did I learn," and "extract learnings," which can easily occur in ordinary conversation and unintentionally activate a skill that can read, write, edit, and invoke Bash. In this skill’s context, accidental activation is more dangerous because the skill is explicitly designed to persist changes and update agent definitions across sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation advertises that learnings are "encoded permanently into agent definitions" without an adjacent, prominent warning that this changes persistent behavior beyond the current session. That creates a consent and safety issue because users may not realize ordinary conversation content or corrections can become durable configuration changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill authorizes reflection not only on explicit `/reflect` commands, but also on session ending, context compaction, and loosely defined 'successful patterns worth preserving.' In context, this can cause the agent to analyze and persist conversation-derived content without a fresh, explicit user action, increasing the chance of unintended data capture and repository modifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The top-level description presents the skill as a self-improvement utility but does not upfront disclose that it may write persistent files, create skills, update agent files, and commit changes. That omission can mislead users into invoking it without understanding that it performs durable state changes beyond the current session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes an automatic mode that creates reflection output files and updates indexes during the PreCompact hook, but it does not prominently warn users that this mode performs persistent data modifications based on conversation transcripts. In a self-improvement skill, that matters because users may enable a hook expecting passive analysis while it silently writes artifacts derived from potentially sensitive session content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The low-confidence trigger set includes very common conversational terms such as 'good', 'nice', and 'maybe', which can cause the skill to infer persistent learnings from ordinary dialogue rather than explicit user instruction. In a self-modifying reflection skill, that creates a meaningful risk of erroneous memory formation or unwanted updates to agent files or skills based on casual phrasing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Approval markers like 'perfect', 'exactly', 'that's right', and 'correct' are broad enough to match normal conversational acknowledgments, so the skill may overinterpret incidental approval as endorsement of a reusable rule or behavior. Because this skill is designed to preserve successful patterns and propose agent updates, false approvals can propagate incorrect behavior into persistent configuration or new skills.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes user-supplied content directly into a SKILL.md file, overwriting any existing file without validation, review, or warning. This enables prompt/content injection to become persistent agent behavior, and can also destroy an existing skill definition.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script performs multiple writes to project and home-directory reflection/index files with no local disclosure or consent check at the write sites. In a reflection skill, silent persistence is risky because users may not expect session-derived content and project metadata to be stored in both local and global locations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The guide describes retaining conversation-derived learnings, storing state in persistent directories, tracking metrics, and carrying improvements across sessions. This creates a natural-language data leakage risk because sensitive user content, secrets, proprietary prompts, or contextual details can be summarized or preserved in files that outlive the original conversation.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow instructs the system to log learnings, store reflections across project/global locations, and include source quotes with 'exact words.' Because the content source is user conversation, this creates a substantial retention and propagation risk for secrets, personal data, internal discussions, or sensitive business context across files and future sessions.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instructions explicitly direct persistent logging and indexing of user corrections and learnings across project and global storage. Because those learnings are derived from conversations, this can capture sensitive operational details, preferences, and possibly secrets, creating unnecessary long-term surveillance and leakage risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The portable skill plan includes collecting and copying session-derived data into global by-project and by-agent repositories, normalizing cross-session replication of potentially sensitive data. In a skill meant to be reusable by other agentic tools, this is more dangerous because it encourages broad persistence patterns that may be adopted in less controlled environments.

Session Persistence

Medium
Category
Rogue Agent
Content
- extract learnings
allowed-tools:
  - Read
  - Write
  - Edit
  - Grep
  - Glob
Confidence
84% confidence
Finding
Write - Edit - Grep - Glob - Bash metadata: clawdbot: emoji: "🪞" requires: bins: ["python3"] config: requiredEnv: [] stateDirs: ["~/.reflect", "~/.claude/sessio

Session Persistence

Medium
Category
Rogue Agent
Content
### Incremental Updates
- ONLY add to existing sections
- NEVER delete or rewrite existing rules
- Preserve original structure

### Conflict Detection
Confidence
78% confidence
Finding
write existing rules - Preserve original structure ### Conflict Detection - Check if proposed rule contradicts existing - Warn user if conflict detected - Suggest resolution strategy ## Integration

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.