Back to skill

Security audit

自我进化AI

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed memory system, but it encourages automatic, persistent capture of conversations, command outputs, and project-wide agent instructions without clear consent or redaction controls.

Install only if you want an agent to keep persistent project memory. Before using it, require explicit confirmation before every write, redact secrets and personal or business-sensitive details from errors and prompts, keep .learnings local unless intentionally shared, and review diffs before changes to CLAUDE.md, AGENTS.md, or Copilot instruction files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad trigger keywords such as generic improvement and learning phrases, which can cause accidental activation during unrelated conversations. In this skill's context, unintended activation is risky because activation can lead to persistent file writes, memory collection, and later promotion into project instruction files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to write persistent memory files and even promote content into repository-wide instruction files without clearly warning that this changes project state. That creates a silent-persistence risk where user conversation content or transient conclusions become durable guidance affecting future agent behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The hook-based workflow automatically captures prompt submissions and tool outputs, but the document does not provide a clear privacy warning or minimization policy. In a memory/learning skill, this is especially dangerous because prompts, command outputs, errors, and surrounding context often contain secrets, proprietary code, credentials, or personal data that would then be persisted or re-injected.

Ssd 3

Medium
Confidence
96% confidence
Finding
The learning-entry template explicitly asks for complete context about what happened, what was wrong, and the correct approach, encouraging persistence of user-provided and conversation-derived details. Natural-language memory stores are hard to sanitize consistently, so they can easily retain sensitive business context, internal paths, secrets mentioned in conversation, or other private data.

Ssd 3

High
Confidence
99% confidence
Finding
The error logging format tells the agent to preserve raw error messages, command attempts, inputs, parameters, and environment details. Those fields commonly contain access tokens, connection strings, internal URLs, file paths, stack traces, and customer data, making this a direct plaintext data leakage risk when stored in repository files.

Ssd 3

Medium
Confidence
92% confidence
Finding
The feature request template directs the agent to persist the user's requested capability and contextual motivation from conversation. That can retain private intentions, internal roadmaps, customer-specific needs, or other sensitive context that was only meant for the immediate interaction.

Ssd 3

Medium
Confidence
95% confidence
Finding
The automatic triggers instruct the agent to record user corrections, newly supplied information, and various interaction outcomes automatically. Automatic retention of conversational content is risky because users may not expect their corrections, clarifications, or proprietary facts to be written into persistent project memory.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.