Back to skill

Security audit

Super Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill persistently records agent learnings and can optionally add reminders, but the behavior is disclosed, purpose-aligned, and not backed by evidence of exfiltration or destructive actions.

Install only if you want persistent learning logs and agent-memory updates. Keep hooks disabled unless you are comfortable with frequent reminders, avoid global hook setup for unrelated projects, and redact secrets or sensitive conversation details before anything is written or shared across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill’s stated purpose is self-improvement logging, but the file also directs hook installation, cross-session tooling use, output inspection, and skill scaffolding. This mismatch can cause operators to grant broader trust than warranted and may enable unexpected file writes or automation in environments where the skill was only approved for note-taking.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill documents use of session history, cross-session messaging, and sub-agent spawning even though its core purpose is logging learnings. Those capabilities expand data access and action surface, creating opportunities to move transcript-derived information across sessions or trigger autonomous work beyond what a simple memory skill requires.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The extraction workflow adds code-generation/scaffolding behavior that goes beyond recording learnings. While not inherently malicious, it can cause unreviewed filesystem changes and promote informal notes into executable skill structures without a separate trust decision.

Vague Triggers

High
Confidence
89% confidence
Finding
The activation conditions are extremely broad, covering failures, corrections, knowledge gaps, better methods, and explicit invocation. In practice this makes the skill effectively always-on, increasing the chance of unnecessary logging, prompt bloat, and unintended persistence of sensitive or irrelevant interaction details.

Vague Triggers

High
Confidence
94% confidence
Finding
An empty hook matcher causes the activator to run on every prompt submission without contextual filtering. This creates an unconstrained automation path that can repeatedly inject reminders or trigger downstream logging behavior for all conversations, including those unrelated to self-improvement.

Vague Triggers

High
Confidence
94% confidence
Finding
The advanced setup repeats the same unrestricted empty matcher and adds PostToolUse automation, broadening the trigger surface further. This can cause pervasive monitoring of tool activity and routine execution of helper scripts even when no learning workflow is desired.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger definitions are broad enough that the skill may activate on routine failures, vague 'knowledge gaps,' or normal model behavior, causing self-modification or logging workflows to run without clear user intent. In a self-improvement skill that writes to memory, workspace files, and potentially cross-session channels, ambiguous activation increases the chance of prompt-influenced persistence, unintended state changes, and noisy or unsafe propagation of incorrect learnings.

Ssd 3

Medium
Confidence
86% confidence
Finding
The skill encourages automatic logging of errors, corrections, and learnings into persistent markdown files. Even with a warning not to log secrets, automatic capture of summaries, error output, and context can still retain sensitive user-provided data or internal details, especially if operators follow the workflow mechanically.

Ssd 3

Medium
Confidence
88% confidence
Finding
The cross-session sharing section explicitly describes reading other sessions’ transcripts and sending learnings between sessions. Even though it advises trusted environments and sanitization, this still normalizes data movement across boundaries and can leak transcript-derived information into unrelated sessions or artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.