ClawHub

Claw Self Improving Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local self-improvement memory skill; it has real privacy and persistence caveats, but the behavior fits its stated purpose and shows no artifact-backed exfiltration or deception.

Install only if you want the agent to keep local cross-session notes about your corrections, preferences, workflows, and project patterns. Review ~/self-improving/ periodically, avoid storing secrets or sensitive personal data, be careful with AGENTS.md/SOUL.md/HEARTBEAT.md edits because they affect future behavior, and after any full wipe also remove or protect any exported memory file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented 'forget everything' flow is internally inconsistent because it first exports current memory to a file before deletion, which can preserve the very data the user asked to erase. In a self-improving memory skill, this is privacy-relevant because users will reasonably interpret the command as a complete wipe, and an automatic export can create an additional retained copy without explicit renewed consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s documented commands materially expand scope from self-reflection into persistent user-memory management, including search, export, deletion, and project-specific storage. That creates a capability mismatch: users invoking a reflective skill may unknowingly expose or modify retained personal and project data beyond the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Autonomous weekly maintenance, archival, and compaction introduce ongoing background data processing unrelated to the stated self-improvement purpose. This is dangerous because stored user data may be moved, retained, or transformed without the user understanding that the skill performs lifecycle management on persisted information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup expands a narrowly described self-improvement skill into persistent changes to broader governance files such as AGENTS.md and SOUL.md, altering default agent startup and task behavior beyond the skill's stated scope. This is dangerous because it creates durable behavioral steering and retrieval obligations that can influence future tasks globally, increasing the blast radius of any bad rule or adversarial memory entry.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs modification of unrelated workspace governance files even though its stated purpose is self-reflection and memory. That mismatch is risky because governance files control broader agent behavior, so a memory utility can become a covert persistence and policy-injection mechanism rather than a local support tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes exporting memory during a deletion request but does not clearly disclose that the export may itself contain retained user data and become a new persistence point. In the context of a long-term memory skill that stores preferences and corrections across sessions, this omission increases the risk of unintended retention, user deception, and privacy policy noncompliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persistently stores user corrections, preferences, and self-reflection data in local files, but it does not require an explicit user-facing notice or consent at the point of collection. This creates a privacy and data-retention risk because users may provide sensitive preferences or corrective feedback without realizing it will be written to durable storage and reused later.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says to use the skill 'before starting work and after responding to the user,' which is broad enough to trigger routine use even when the user did not ask for persistent learning or reflection. Over-broad activation increases the chance of unintended logging, unnecessary file access, and silent accumulation of user data across many interactions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The 'When to Use' conditions are subjective phrases like 'significant work' and 'something in your own output that could be better,' which allow frequent autonomous activation. In this skill's context, ambiguous triggers are more dangerous because activation leads to reading and writing persistent memory, so vague thresholds can expand data collection far beyond user expectations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "forget everything" is generic natural language and can plausibly appear in ordinary conversation, quoted text, or indirect instructions. In a self-improving memory skill, that makes accidental or adversarial triggering more likely, causing unintended memory deletion and disruption of agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The kill-switch workflow writes current memory to a file before deletion, but the user is not warned or asked to consent to creating a new persisted copy. This can defeat the purpose of deletion, create an additional retention surface, and expose sensitive data if the export location is insecure or retained longer than expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to log corrections, promote them to preferences, and write them into scoped namespaces, which implies persistent storage of user behavior without any accompanying notice, consent flow, or retention disclosure. In a self-improving agent context, this is more dangerous because the feature is designed to continuously accumulate user-specific data across sessions and projects, increasing privacy risk and the chance of unintended profiling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reversal flow says to archive old patterns, keep history, and log reversals with timestamps, but it does not tell the user that historical preference data will continue to be retained after changes are made. Retaining superseded preferences and timestamps without clear disclosure or deletion controls creates avoidable privacy exposure and can preserve sensitive behavioral history longer than users expect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic loading of memory on session start and automatic writes on correction without any clear notice, consent flow, or confirmation boundary. Silent persistence and retrieval of user context can lead to privacy violations, accidental retention of sensitive data, and user surprise about what the system remembers or modifies.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Weekly archival and compaction change data location and retention state automatically, yet the file provides no explicit warning or consent mechanism. Users may lose visibility into where their data resides, how long it is kept, or whether old preferences are still being preserved and reused.

Missing User Warnings

Low
Confidence
92% confidence
Finding
This section gives operational instructions for archiving, compaction, index maintenance, and corruption recovery of persistent memory files without requiring any explicit user-facing warning, confirmation, or guardrails before destructive or hard-to-reverse changes. In a self-improving memory skill, these actions can alter long-term agent behavior, lose user preferences, or silently rewrite context, making the omission materially more dangerous than in ordinary documentation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup tells the agent to create and update multiple local files and configuration artifacts without prominent warning, consent, or safety constraints around persistent writes. This is dangerous because users may unknowingly grant the skill ongoing influence over future behavior and local state, and repeated automatic writes can accumulate incorrect, sensitive, or manipulative instructions.

Ssd 3

Medium
Confidence
89% confidence
Finding
Commands such as showing memory, exporting memory, and forgetting everything are presented as unqualified operations with no authorization boundary, role check, or re-authentication requirement. In a multi-user, shared-session, or delegated-agent context, this could expose sensitive memory contents or permit destructive actions by an unauthorized party.

Ssd 3

Medium
Confidence
93% confidence
Finding
The correction logging flow persists user context, timestamps, preferences, and history in human-readable records with no minimization, expiry, or sensitivity filtering. This creates a durable privacy and data-governance risk because personal preferences, project details, and contextual information may be retained indefinitely and later exposed or misused.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Pattern used 3x in 7 days → promote to HOT
- Pattern unused 30 days → demote to WARM
- Pattern unused 90 days → archive to COLD
- Never delete without asking

### 4. Namespace Isolation
- Project patterns stay in `projects/{name}.md`
Confidence
84% confidence
Finding
without asking

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal