Security audit

Self-Improving Agent (tuituitu)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is meant to help an agent learn, but it tells the agent to save memories and edit behavior files too broadly and without clear user approval.

Install only if you want an agent to maintain persistent self-improvement notes. Before using it, require an explicit approval step and visible diff for every write, keep secrets and sensitive personal details out of memory, restrict writes to known memory files, and avoid allowing this skill to modify AGENTS.md, SOUL.md, cron jobs, or other behavior/control files unless you intentionally approve that separate change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

High

Confidence: 95% confidence
Finding: The activation conditions are so broad that the skill may trigger during ordinary conversations, routine completions, or minor feedback events. In this skill's context, broad activation is especially dangerous because activation leads directly to persistent memory writes and self-modification behavior, increasing the chance of unintended state changes from normal user input.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Phrases like 'notices a repeated mistake pattern' and 'lessons to extract' are subjective and lack scope boundaries, making activation dependent on the agent's own interpretation. Because this skill performs writes to memory and behavior-related files, ambiguous triggers can cause inconsistent, unauthorized, or excessive persistence of information.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs the agent to immediately update persistent files without first warning the user that data will be stored and that files will be modified. This creates a clear risk of unconsented persistence, retention of sensitive information, and silent alteration of the agent's future behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Allowing updates to AGENTS.md or SOUL.md for persona or tone changes crosses from memory capture into modification of core behavior/governance files. Without strict controls, this enables prompt injection persistence, behavioral drift, and unauthorized changes to system-level instructions under the guise of 'learning.'

Ssd 3

Medium

Confidence: 96% confidence
Finding: The instruction to record 'new insights/lessons' and user preferences into persistent memory is unbounded and lacks any data minimization or sensitivity filtering. In practice, this can lead to retention of secrets, personal data, confidential context, or attacker-supplied prompt injection text that may later be surfaced or acted upon.

Ssd 3

Medium

Confidence: 93% confidence
Finding: Telling the agent to actively search for unrecorded preferences and missing knowledge encourages broad surveillance-style collection from natural-language interactions. This raises privacy risk by expanding what gets inferred and stored beyond what the user explicitly asked to preserve.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal