wx-112

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local learning-log and reminder tool; it has broad optional hooks and persistent memory guidance, but the inspected artifacts do not show hidden data theft, destructive behavior, or deceptive execution.

Install this only if you want persistent local learning logs and reminder hooks. Prefer project-level, activator-only setup; avoid global hooks and PostToolUse error detection when command output may contain secrets. Review any learning before promoting it into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, or Copilot instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document states that the scripts 'only output text' and 'don't modify files or run commands,' yet the configuration explicitly registers them as shell commands to be executed by the hook system. This mismatch can cause operators to underestimate the trust boundary and deploy executable hooks with fewer safeguards than they otherwise would.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documented integration extends a self-improvement skill from recording local learnings into cross-session coordination and sub-agent orchestration. That scope expansion increases the attack surface by enabling information flow and agent actions unrelated to the stated purpose, which can be abused for lateral context access or unintended task execution.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The guide instructs promoting learnings into AGENTS.md, SOUL.md, and TOOLS.md, which are injected prompt/configuration files that can shape future agent behavior. This turns a logging mechanism into a persistence and behavior-modification pathway, allowing bad data, prompt injection, or mistaken conclusions to become durable operating instructions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Reading other sessions' transcripts is not necessary for a self-improvement skill whose stated role is capturing corrections and failures. Transcript access can expose sensitive prompts, secrets, user data, and operational context across sessions, creating a clear confidentiality risk and an unnecessary privilege escalation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is extremely broad and overlaps with normal coding-assistant use, including failures, corrections, outdated knowledge, better approaches, and review before major tasks. In practice this can cause constant invocation, excessive file writes, and normalization of persistent logging, increasing the chance of storing sensitive workflow details without a narrowly scoped user request.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases include ordinary conversational patterns like 'Can you also...' and 'Is there a way to...', which are common in benign interaction and not reliable indicators that persistent logging should occur. This creates over-collection risk and can silently convert routine chat into durable records, especially when combined with the skill's encouragement to promote learnings into memory files and other agent contexts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: An empty matcher causes the hook to fire on every prompt, which broadens the activation surface to all interactions rather than just failure- or learning-related cases. In a self-improvement skill, this increases the chance of unnecessary context injection, inadvertent handling of sensitive prompts, and persistent behavior that users may not expect.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: User-level configuration enables the hook across all sessions and projects, making the behavior persistent and difficult to scope to appropriate contexts. This can expose unrelated prompts to hook processing and normalize execution of local scripts in environments where they were never intended to run.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The Codex CLI example also uses an empty matcher, causing unconstrained execution on every prompt. Repeating this pattern across tools increases the likelihood that users copy a broad, always-on configuration without understanding the resulting prompt-wide interception behavior.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough that the skill could activate during many normal interactions, increasing the chance of unintended logging, persistence, or promotion of low-quality or adversarial content. Over-broad activation is especially risky here because the skill interfaces with persistent memory and potentially behavior-shaping files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal