Back to skill

Security audit

Self-Refine Reflection

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only self-review skill with disclosed local memory behavior, but users should understand that it can persist brief reflection notes.

Before installing, review the agent instruction files it modifies and decide whether you want cross-session reflection memory. If you work with sensitive prompts, proprietary code, or regulated data, disable or periodically delete memory/reflections.md unless you are comfortable retaining task-derived self-correction notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The instruction says the skill "activates automatically before delivering final responses" without any scope limitation, approval gate, or condition tied to specific tasks. Broad auto-activation increases the chance that untrusted or unsafe skill behavior is injected into every interaction, including security-sensitive contexts, and the reference to an external skill file means the effective behavior is not bounded within this file.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes saving recurring error patterns to memory but does not prominently warn users that this may persist data across sessions or write to local storage. In agent environments, persisted reflections can capture sensitive prompts, code details, or derived secrets, creating privacy, retention, and compliance risks if users are unaware.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The platform compatibility matrix advertises 'file write' memory support across multiple tools without clearly disclosing that the skill may modify the filesystem and retain state between sessions. In coding-agent contexts, silent persistence is more dangerous because project directories may contain proprietary code, credentials, or regulated data that could be summarized into durable memory artifacts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The auto-activation rule is broad enough that the skill may engage on many normal responses, increasing hidden prompt influence and token overhead across unrelated tasks. While this is primarily a quality and control issue rather than direct exploitation, overly broad activation can make the agent less predictable and can amplify any unsafe behavior embedded elsewhere in the skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manual triggers rely on common phrases like 'think carefully' or 'this is important,' which are easy to say in ordinary conversation and can be adversarially inserted to change agent behavior. In a prompt-injection setting, ambiguous triggers create a covert control channel that lets untrusted user text escalate processing mode, increase cost, or invoke more intrusive internal procedures.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs persistent cross-session memory writes without requiring user notice, consent, retention limits, or sensitivity filtering. This can lead to unexpected storage of user-derived content or behavioral profiles across sessions, creating privacy, compliance, and data minimization risks even if the stored note is framed as self-improvement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to append content to `memory/reflections.md`, which is a persistent file write. Because this behavior is framed as an internal reflection mechanism and includes no user notification, consent check, retention policy, or sensitivity guardrails, it can cause the system to store user-derived or sensitive content without disclosure. In an agent setting, hidden persistence can accumulate private data or create prompt-injection persistence channels across sessions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.