123123123123

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local self-improvement logging skill with opt-in hooks and persistent notes, so the main risk is privacy and prompt-memory hygiene rather than malicious behavior.

Install this only if you want local notes to persist across sessions. Keep hooks disabled unless you want automatic reminders, avoid global/user-level hook activation for sensitive work, and never store secrets, tokens, environment dumps, raw transcripts, or full command output in .learnings or promoted prompt files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The guide broadens a self-improvement/logging skill into editing high-impact workspace prompt files such as AGENTS.md, SOUL.md, and TOOLS.md. Because those files are injected into future sessions, incorrect, sensitive, or adversarially influenced content can become persistent prompt context and affect later agent behavior well beyond the original learning event.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The documented ability to read other sessions' transcripts exceeds the narrow purpose of self-improvement and creates unnecessary access to potentially sensitive cross-session context. Even with some cautionary wording, exposing transcript-reading as part of this integration increases the chance of privacy violations, data mixing between tasks, and prompt-injection propagation from one session into another.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The empty matcher causes the hook to run on every user prompt, creating unnecessarily broad trigger scope for a self-improvement feature. While the script is described as lightweight and opt-in, universal activation increases the chance of unintended context processing, sensitive prompt exposure to the hook, and operational overhead across all interactions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The user-level configuration recommends global activation with no narrowing conditions, which expands the hook's reach across all projects and sessions. In this skill context, that makes prompt-wide monitoring more dangerous because self-improvement hooks may observe sensitive or unrelated work far beyond the original project scope.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Codex example also uses an empty matcher, so the hook will trigger for every prompt rather than only for relevant events. This broad interception is risky in a skill designed to capture learnings, because it can normalize unnecessary collection and processing of all prompt traffic.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions encourage storing learnings in persistent workspace files and .learnings/ without prominently warning that these records may survive across sessions and contain sensitive or task-specific context. This can lead to inadvertent retention of secrets, personal data, internal project details, or erroneous guidance that later sessions will reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal