测试文件夹上传

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement logging skill with real persistence and hook risks, but the artifacts are coherent and do not show hidden exfiltration, destructive behavior, or unrelated privileged actions.

Install this only if you want persistent agent learning notes. Prefer project-local .learnings storage, review entries before promoting them into AGENTS.md, CLAUDE.md, SOUL.md, TOOLS.md, or new skills, and enable hooks only in trusted workspaces. Do not let secrets, tokens, private transcripts, raw command output, or sensitive project data be logged.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document states that hook scripts 'only output text' and 'don't modify files or run commands', but the same guide configures those scripts as command hooks and also documents an extract script that creates scaffolding. This mismatch can cause operators to under-trust the execution risk of hook commands and approve automation under false assumptions, which is dangerous because hook commands execute with the agent's privileges.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The template asks authors to 'include trigger conditions' but does not require concrete activation boundaries, exclusions, or examples. In a skill-routing system, vague trigger text can cause overbroad activation, making the agent invoke the wrong skill in inappropriate contexts and potentially apply unsafe guidance more widely than intended.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The minimal template's description guidance ('what this skill does and when to use it') is too sparse to constrain activation behavior. Because this repository is for self-improvement skills that may be consulted broadly after failures or corrections, ambiguous descriptions increase the chance of collision-prone or inappropriate skill selection across many tasks.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An empty matcher on UserPromptSubmit causes the hook to run on every prompt with no scope restriction. In a self-improvement skill, this broad trigger increases exposure of all user interactions and can create unnecessary collection, processing, or leakage of sensitive prompt content through hook logic.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The user-level configuration recommends globally enabling a hook with an empty matcher, causing it to execute for every prompt across projects and contexts. This widens the blast radius substantially: a misbehaving or later-modified script would gain persistent visibility into all sessions, including sensitive repositories and prompts.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Even the 'minimal' setup still triggers on every prompt because the matcher is empty. Reducing the number of hooks lowers overhead, but it does not address the core security issue of indiscriminate execution on all prompts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The Codex example also uses an empty matcher, which means the hook runs on every prompt without contextual limits. In tooling that may be used across varied tasks, this unnecessarily broad invocation increases the chance of sensitive data being processed or retained by the hook path.

Self-Modification

High

Category: Rogue Agent
Content: [ -f .learnings/FEATURE_REQUESTS.md ] || printf "# Feature Requests\n\nCapabilities requested by the user.\n\n---\n" > .learnings/FEATURE_REQUESTS.md ``` Never overwrite existing files. This is a no-op if `.learnings/` is already initialised. Do not log secrets, tokens, private keys, environment variables, or full source/config files unless the user explicitly asks for that level of detail. Prefer short summaries or redacted excerpts over raw command output or full transcripts.
Confidence: 88% confidence
Finding: overwrite existing file

Session Persistence

Medium

Category: Rogue Agent
Content: └── FEATURE_REQUESTS.md ``` ### Create Learning Files ```bash mkdir -p ~/.openclaw/workspace/.learnings
Confidence: 90% confidence
Finding: Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal