Security audit

self-evolving-skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for creating and maintaining reusable agent skills, and its file-writing behavior matches that purpose.

Install this only if you want your agent to propose and maintain reusable skills. Use a dedicated skills directory, require review before creating or overwriting files, and inspect any generated scripts before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document directs the agent to create directories, write files, and potentially overwrite existing content using whatever file-operation tools are available, but it does not require an explicit pre-execution warning, scoped consent, or safe path validation. In a self-evolving skill that persists new artifacts, this can lead to unintended filesystem modification, clobbering existing files, or writing outside an expected workspace if the agent infers paths too broadly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.