Skill Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks agents to retain and spread conversation-derived details broadly enough that users should review its privacy and persistence behavior before installing.

Install only if you want an agent to keep durable local learning logs. Before enabling hooks, require redaction of secrets, tokens, customer data, private paths, raw transcripts, and full command outputs; prefer summarized entries; keep `.learnings/` out of version control unless intentionally shared; and require explicit approval before promoting entries to memory files or sending them across sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill advertises transcript access and cross-session messaging features that go beyond simple local self-improvement logging. Even if intended for coordination, these capabilities can move sensitive information between sessions and expose prior conversation content to contexts that did not originally receive it.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill repeatedly directs creation and modification of local files, including workspace and project files, without an explicit warning or consent boundary. In agent environments, silent filesystem writes can alter developer context, persist sensitive data, or change later agent behavior without the user's informed approval.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The empty matcher causes the hook to run on every prompt, creating very broad activation scope for a command execution hook. Even though the document says the scripts only output text, this setup normalizes unconditional execution and increases the blast radius if the referenced script is modified, replaced, or behaves unexpectedly.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The user-level configuration enables the hook globally across repositories and sessions without meaningful scope restriction. That makes accidental propagation more likely and broadens exposure if the hook script is unsafe, tampered with, or produces prompt-influencing output in unrelated contexts.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The Codex example repeats the same broad empty-matcher pattern, so the hook command will trigger for all prompts with no filtering. In an agent environment, always-on hook execution increases opportunities for unwanted prompt injection, misfires, and abuse through script replacement or unexpected side effects.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to persist user corrections, requests, and related interaction details into markdown files for future use. This creates a natural-language retention channel that can store sensitive or proprietary information beyond the original session, increasing leakage risk through later reads, sync, commits, or sharing.

Ssd 3

High

Confidence: 98% confidence
Finding: Encouraging agents to read other sessions' transcripts and send learnings across sessions materially increases the risk of disclosing sensitive conversation content outside its original scope. This is especially dangerous because transcripts often contain raw user instructions, errors, paths, tokens, or business context that may not be safe to redistribute.

Ssd 3

High

Confidence: 99% confidence
Finding: The logging templates explicitly ask for full context, actual error output, parameters, and environment details, all of which commonly contain secrets, internal URLs, file paths, identifiers, or confidential business data. Persisting that information in plain markdown creates a high-probability leakage and over-retention risk.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Promoting learned content into broader context files like CLAUDE.md, AGENTS.md, SOUL.md, and TOOLS.md spreads session-derived information into persistent prompt inputs that may be loaded automatically in future work. This amplifies any earlier logging mistake and makes sensitive content harder to detect, contain, and remove.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal