Security audit

Self Improvement Tianjin

Security checks across malware telemetry and agentic risk

Overview

This skill openly stores local learning notes and reminders as its main function, but users should redact sensitive details before keeping or promoting those notes.

Install this only if you want the agent to keep durable local learning notes and possibly load them into future sessions. Review `.learnings` and promoted memory files, avoid committing private logs, redact tokens, credentials, customer data, private transcripts, and full command output, and enable the broad hooks only if you are comfortable with recurring reminder injection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

High

Confidence: 90% confidence
Finding: The hook configuration uses empty matchers, causing the skill to activate on every prompt and relevant tool event. That creates an always-on pathway for persistence and post-processing of user interactions, substantially increasing the chance that sensitive content, secrets, or irrelevant context are logged without meaningful scoping or consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions direct creation and use of persistent learning files in the user's workspace or skill directory without warning about privacy, retention, or the risk of storing sensitive data. In an agent setting, persistent writes can silently modify user-controlled data and accumulate secrets, internal prompts, or erroneous records across sessions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to persist user corrections, requests, errors, and contextual details into long-lived files and to promote some of that content into broader memory locations. This creates a durable data-retention channel that can capture sensitive prompts, proprietary code context, credentials, or personal information far beyond the original interaction.

Ssd 3

High

Confidence: 97% confidence
Finding: The inter-session features encourage reading other session transcripts and sending learnings between sessions, which creates a semantic exfiltration path for sensitive conversation content. Without strict access controls, purpose limitation, and redaction, one session can unintentionally leak confidential information from another or propagate tainted instructions across contexts.

Ssd 3

High

Confidence: 98% confidence
Finding: The error logging template tells the agent to record actual error output, command inputs, parameters, and environment details, all of which commonly contain secrets, tokens, file paths, internal URLs, customer data, or proprietary code fragments. Persisting raw operational data to markdown files materially increases the risk of credential leakage, privacy violations, and later accidental disclosure through source control or shared workspaces.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal