Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent self-improvement logger, but it can persist conversation-derived information into future agent context and cross-session workflows without enough privacy and review controls.

Install only if you intentionally want durable agent memory. Keep it project-scoped, avoid global hooks unless you have reviewed the scripts, require human review before promoting anything into AGENTS.md, CLAUDE.md, SOUL.md, TOOLS.md, or Copilot instructions, and redact secrets, personal data, proprietary content, raw transcripts, and untrusted user text before saving or sharing learnings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document claims the scripts 'only output text' and 'don't modify files or run commands,' but the setup explicitly configures them as shell commands via the hook system. This is a misleading security assurance that can cause operators to underestimate execution risk, especially because any invoked shell script can perform arbitrary actions with the agent's privileges.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation guidance is extremely broad and can cause the skill to run during many normal interactions, increasing the chance of unnecessary logging and persistence of user content. In an agent environment, over-broad activation expands the data collection surface and makes accidental retention more likely.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The automatic triggers match everyday phrases like corrections and feature requests, so routine conversation can be converted into durable records without clear user intent. That makes the skill prone to over-collection and persistent storage of user-supplied text that was only meant for the current exchange.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: An empty matcher causes the hook to fire on every prompt, creating a broad automatic trigger surface. In this skill context, that means arbitrary user input is repeatedly fed into a command-backed hook path, increasing the chance of prompt-triggered abuse, privacy leakage, or unnecessary execution of local scripts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Global user-level activation combined with an empty matcher broadens the trigger from one project to all prompts in all contexts. This increases risk because the hook runs persistently across sessions and repositories, amplifying the blast radius of any bug, unsafe script behavior, or prompt-sensitive side effect.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The 'minimal setup' reduces the number of hooks but still leaves the trigger unconditional by using an empty matcher. That means the script executes on every prompt despite being presented as lower overhead, which can still create broad exposure and normalize unnecessary command execution.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The Codex example repeats the same overly broad empty matcher pattern, causing hook execution for all prompts without contextual limits. Because this is documentation intended for reuse, it propagates an insecure default across another toolchain and encourages users to deploy unconditional command hooks.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill encourages persistent logging of corrections, requests, and other session-derived information into shared files, creating a natural language data retention channel. Even if intended for productivity, this can capture sensitive prompts, internal context, or user-specific details that outlive the session and may be read by others or future agents.

Ssd 3

High

Confidence: 95% confidence
Finding: Guidance to read other session transcripts and send learnings across sessions without sensitivity boundaries creates a direct cross-session data leakage path. This is especially dangerous in multi-user or multi-task environments because one session's confidential context can be propagated into unrelated sessions or agents.

Ssd 3

High

Confidence: 97% confidence
Finding: The templates explicitly ask for full context, inputs, parameters, environment details, and user context, which strongly encourages verbatim capture of sensitive data. In practice this can include secrets, proprietary code fragments, filesystem paths, customer data, or operational details that should not be retained in logs.

Ssd 3

Medium

Confidence: 89% confidence
Finding: Automatically logging user-provided corrections and new information encourages broad retention of content supplied during normal conversation, regardless of sensitivity. This creates a persistent memory channel that can accumulate private or regulated data over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal