ClawHub
Back to skill

Security audit

Feihong Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it needs review because it encourages durable agent memory, broad logging of task context, and optional automatic hooks without strong redaction or scoping controls.

Install only if you want agents to keep durable learning notes. Before enabling hooks or cross-session sharing, add a local rule to summarize and redact secrets, tokens, customer data, private URLs, raw prompts, and full command outputs. Keep .learnings out of version control unless every entry is intentionally shareable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are common in normal conversation and are mapped to automatic logging actions without requiring sensitivity checks, consent, or contextual validation. This makes it easy for benign conversational content, corrections, or user-provided facts to be unnecessarily persisted into long-term files, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to enable a user-level UserPromptSubmit hook that executes a local shell script on every prompt across all sessions. Although the script may be intended to be harmless, persistent global command execution materially expands the attack surface and is not paired with an immediate, prominent warning that every prompt submission triggers code execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup examples configure command-type hooks that run shell scripts, but the initial instructions do not immediately disclose that normal prompt submission and Bash tool use will cause local executable scripts to run. This can lead users to enable automation without understanding that they are introducing automatic command execution into their workflow.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to persist user corrections, requests, and promoted learnings into durable workspace and project memory files. In a security context, that creates a clear risk of retaining sensitive prompts, business context, credentials, or private workflow details in places that may later be reused, exposed to other agents, or committed to source control.

Ssd 3

Medium
Confidence
95% confidence
Finding
The cross-session guidance encourages reading other sessions' transcripts and sending learnings between sessions without any access-control, need-to-know, redaction, or consent requirements. That can expose sensitive user content across session boundaries and amplify a leak from one session into multiple agents or workspaces.

Ssd 3

Medium
Confidence
94% confidence
Finding
The logging templates instruct the agent to capture full context, inputs, parameters, environment details, and literal error output. Those fields commonly contain credentials, API keys, filesystem paths, internal URLs, user data, stack traces, and operational details that become durable artifacts and may be indexed, shared, or committed later.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
81% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.