Back to skill

Security audit

πŸ”„ 智能体θ‡ͺθΏ›εŒ–

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local self-improvement logger with optional reminder hooks, and I found no artifact-backed evidence of exfiltration, hidden installation, or destructive behavior.

Install this only if you want durable local learning logs and future-session reminders. Prefer project-level hooks over global hooks, review the hook scripts before enabling them, and avoid enabling command-output inspection in workspaces where tool output may contain secrets unless you are comfortable with local inspection of that output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that the scripts 'only output text' and 'don't modify files or run commands,' but the configuration explicitly registers shell scripts as command hooks. That mismatch can cause operators to underestimate the trust boundary and deploy the hooks with broader permissions than intended, increasing the risk of code execution or side effects if the scripts are changed, replaced, or behave unexpectedly.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The template encourages descriptions built around generic trigger placeholders without requiring tight activation boundaries, which can lead to skills being invoked in situations broader than intended. In an agent system, overly broad activation criteria increase the chance that sensitive or powerful guidance is applied in the wrong context, causing unsafe automation or misuse of downstream tools.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The minimal template's placeholder for 'what this skill does and when to use it' is underspecified and does not force authors to document precise trigger conditions. This creates a systematic risk that lightweight skills will be published with vague activation rules, making accidental over-application more likely in production agent behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The script-enabled template documents executable helpers but does not require constrained activation criteria or safety gates before running them. Because these skills can drive command execution, vague triggering becomes more dangerous here: an agent may invoke scripts in inappropriate contexts, leading to unintended system changes, data exposure, or destructive actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Using an empty matcher causes the activator to run on every prompt, which is an overbroad trigger for a self-improvement hook that may receive or process arbitrary user input. In this skill context, that broad scope increases exposure to sensitive prompts, prompt-injection propagation, unnecessary persistence of content, and operational overhead across all sessions.

Vague Triggers

High
Confidence
96% confidence
Finding
The user-level configuration enables the hook globally with an empty matcher, causing execution on every prompt across all projects and contexts. That is more dangerous than project-local scope because it broadens persistence, increases the chance of capturing sensitive data from unrelated work, and makes accidental trust of local scripts or substituted paths more impactful.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Although presented as a lower-overhead setup, this example still uses an empty matcher, so it remains active for every prompt. That broad trigger can collect or act on irrelevant interactions and normalizes an insecure default despite the skill being intended for specific error/correction scenarios.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The Codex CLI example mirrors the same empty-matcher behavior, creating an all-prompts trigger condition in another agent environment. Because this skill is specifically about capturing learnings and reviewing context, broad activation can amplify sensitive-data exposure and prompt-derived persistence in routine interactions.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
84% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.