Back to skill

Security audit

evolving skill creator

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad authority to create, modify, schedule, and upgrade other agents, with loose triggers and privileged permission templates that deserve careful review.

Install only if you want a stateful meta-skill that can create and help upgrade other skills. Before using it, restrict triggers to explicit commands, avoid the full-access permission template, review any generated .claude/settings.local.json and scheduler config before enabling them, and keep private memory/log files out of shared or packaged output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is documented to inspect, assess, and upgrade other agents by reading a registry and invoking their status flows. That expands its authority from creating a new skill for the user into managing a broader agent ecosystem, which can enable unintended cross-agent access, modification, and privilege propagation if the operator did not explicitly authorize that scope.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file requires creating scheduler configuration and references cron-related behavior, but the manifest and primary command description do not clearly disclose that scheduled execution capability exists. Hidden or under-disclosed automation is risky because it can persist actions over time, continue reading/writing memory and output files, and surprise users with autonomous behavior after the initial invocation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file explicitly grants high-tier models unrestricted command execution, unrestricted file modification, and autonomous decision-making. In a skill that can create, evolve, and update agents, this creates a dangerous overbroad authority boundary: if the skill is triggered in the wrong context or manipulated by prompt injection, the model is authorized to alter arbitrary files and make consequential changes without human review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The base template grants WebSearch by default even though local skill creation and self-modification do not inherently require network access. Adding unnecessary outbound capability expands attack surface, enables data exfiltration or prompt-influenced retrieval, and violates least-privilege guidance stated elsewhere in the document.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The 'full' template authorizes read/write/edit access across the entire home directory plus unrestricted Bash execution, which is far beyond what a skill creator needs. If used, a compromised or misbehaving agent could read sensitive files, alter user data, install persistence, execute arbitrary commands, or pivot into broader system compromise.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document claims adherence to least privilege while recommending baseline and full templates that materially exceed minimal required access. This mismatch can mislead users into trusting overbroad permissions as safe defaults, increasing the likelihood of unsafe deployment.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill can be activated by very broad everyday phrases such as generic learning, planning, and opinion prompts, making accidental or ambiguous invocation likely. In this skill's context, activation can trigger reading memory, private data descriptions, registries, and logs, so overbroad routing materially increases the chance of unintended sensitive operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs itself to read private memory structures and persist reports/logs, but it does not prominently warn the user at activation time that private data may be accessed and stored. This creates a transparency and consent problem: users may issue what seems like a simple request while unknowingly allowing reads from `memory/private/*` and persistent recording of results.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly recommends unattended, non-interactive execution of an agent with pre-authorized tool access and even mentions `--dangerously-skip-permissions`, but only provides minimal caution. In the context of a self-evolving agent skill, this materially increases the risk of unauthorized file edits, command execution, data exfiltration, or runaway automated actions without a human approval checkpoint.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends structured execution logs and 'full context snapshots' but does not mention redaction, minimization, or exclusion of secrets, personal data, tool outputs, or system prompts. In an agent framework, full-context logging can easily capture credentials, private user content, proprietary data, and security-sensitive state, creating a durable secondary data exposure path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The recommendation for cross-session persistence of experience data normalizes long-lived storage of agent interaction history without addressing consent, retention limits, segregation, or privacy controls. In this skill's self-evolving agent context, persistent memory increases the chance that sensitive user or system data is accumulated over time and later surfaced, reused, or leaked across tasks or users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The referenced section explicitly discusses enabling the agent to modify its own SKILL.md, create new commands, and redefine its goals. In the context of a skill whose purpose is to create and evolve other agents, documenting self-modification without a prominent user-facing safety warning or hard constraints can normalize unsafe recursive capability expansion and increase the chance that future implementations bypass oversight.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The document explicitly states that trigger logic relies entirely on the natural-language description, which makes routing behavior ambiguous and prone to false activation. In a skill ecosystem, overly permissive semantic triggering can cause the wrong skill to load or execute in response to unrelated user input, increasing the chance of unsafe tool use or instruction crossover.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The provided template encourages broad trigger wording like keywords and generic mentions without specifying exclusions or contextual boundaries. That can cause accidental invocation of powerful or sensitive skills in unrelated conversations, which is especially risky for a self-evolving agent creator because misrouting may lead to unintended agent generation, planning, or modification actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The go-scene trigger phrases are broad natural-language requests like '帮我做一个智能体', which can overlap with ordinary conversation and cause the skill to activate when the user did not explicitly intend it. In a skill that controls contextual memory loading and downstream role creation behavior, accidental activation can lead to incorrect tool/memory use, unintended state changes, or leakage of irrelevant internal process information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger condition for '继续做P0待办、补充规范' is underspecified and depends on vague workflow language rather than a strict command. This can cause scene confusion, where unrelated user requests are interpreted as architecture-completion tasks and the wrong private or related knowledge is loaded.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Phrases like '学习一下' or '研究一下XX知识' are common conversational language and can match many benign user requests that are not meant to activate this specific skill workflow. Because the learn scene may dynamically load topic-specific knowledge files, an accidental match increases the risk of unintended context expansion and behavior drift.

Vague Triggers

Low
Confidence
84% confidence
Finding
The scan scene uses a broad phrase such as '扫描最新趋势', which may be triggered by ordinary exploratory discussion. While the immediate files loaded are limited, the scene can still alter workflow and prompt the agent to perform unintended trend-scanning behavior.

Vague Triggers

Low
Confidence
83% confidence
Finding
The plan scene trigger '制定学习计划' is broad enough to overlap with general advisory conversation. This can misroute normal planning requests into a privileged internal workflow that loads persistent planning memory and may update long-term state unexpectedly.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Self-review phrases like '评审一下自己' can overlap with normal reflective conversation and trigger a scene that inspects internal indexing and learning progress files. In this skill context, that makes the issue more dangerous because accidental activation exposes or relies on internal memory-management structure rather than purely user-facing functionality.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The sub-agent review trigger is ambiguous because phrases like '评审XX角色、升级角色' may refer to general discussion, design critique, or unrelated roleplay rather than this specific operational scene. Since the scene may consult private indexing for sub-agent data, ambiguity increases the chance of inappropriate access to sensitive internal context.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Phrases such as '给你提个建议' and '你怎么看' are extremely common in normal conversation, making accidental activation likely. Because this scene loads and may adjust the learning plan, an innocuous opinion request could unexpectedly influence persistent internal planning state.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The status trigger includes everyday small-talk like '你最近状态怎么样', which is highly likely to occur outside intended skill execution. In this context, accidental activation is more dangerous because it causes reading of 'output/execution.log', potentially surfacing operational history or internal activity that the user did not specifically request.

Vague Triggers

Medium
Confidence
86% confidence
Finding
该文档要求在 YAML description 中加入大量自然语言触发短语,且示例包含较宽泛的表达。这会增加技能被普通对话误触发的概率,尤其此 skill 具备创建/修改 agent、读写 memory、管理 cron 等能力时,误触发可能导致非预期的文件读写、配置变更或任务执行。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown presents highly privileged filesystem and shell access as a reusable template without prominent warnings about consequences such as sensitive data exposure, destructive file modification, or arbitrary command execution. In the context of a self-evolving skill creator, this is especially risky because users may normalize broad autonomy and apply the template without understanding the blast radius.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.