Back to skill

Security audit

Self Evolving Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a local self-learning helper with disclosed persistence and no evidence of exfiltration or destructive behavior, but users should understand that it may store learning state and run local helper code.

Install only if you are comfortable with a local learning component that may retain task context, embeddings, or learned skill state for future runs. Set an explicit storage directory, avoid sending sensitive inputs until retention and deletion behavior are clear, and review any local MCP/Python server configuration before enabling automatic startup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises operational capabilities involving environment access and local execution surfaces, but the manifest shown in SKILL.md does not declare corresponding permissions. Undeclared capabilities reduce transparency and prevent users or hosting frameworks from making informed trust decisions, which can enable unexpected data access or execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents the skill as a self-learning/meta-cognitive system, but the broader behavior includes filesystem changes, server startup, localhost requests, persistence, and fallback response fabrication. This mismatch is dangerous because users may grant trust appropriate for an analytics skill while the implementation performs materially broader actions that increase attack surface and can conceal risky side effects.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The documentation exposes a destructive `skill_clear` capability with no warning, scope description, backup guidance, or confirmation expectations. In a persistent self-learning system, normalizing unrestricted data-wipe operations can lead to accidental or induced loss of all learned state, stored skills, and operational history.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description is extremely broad ('Meta-cognitive self-learning system - Automated skill evolution...') and does not define concrete invocation boundaries, inputs, or safety constraints. In a skill that can create, execute, save, and load other skills, this ambiguity increases the chance of overbroad activation or unsafe delegation, which can expand attack surface and enable misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill launches a Python subprocess automatically with no user-facing warning, confirmation, or policy gate. In agent/plugin environments, silently starting executables expands the attack surface and can surprise operators, especially if Python path resolution or the server code is later tampered with.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends arbitrary caller-supplied data over HTTP to a local service without explicit disclosure. Even though the destination is localhost, this can expose sensitive context to another process and creates a local interception or misuse boundary that users may not expect.

Session Persistence

Medium
Category
Rogue Agent
Content
openclaw skill self-evolving-skill list

# 创建Skill
openclaw skill self-evolving-skill create --name "MySkill"

# 执行
openclaw skill self-evolving-skill execute <id> --success
Confidence
72% confidence
Finding
create --name "MySkill" # 执行 openclaw skill self-evolving-skill execute <id> --success # 分析 openclaw skill self-evolving-skill analyze --embedding '[0.1,0.2,...]' # 统计 openclaw skill self-evolving-

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.ts:90