Security audit

auto-evolving-agent(智能体自主进化)

Security checks across malware telemetry and agentic risk

Overview

This non-executable skill is transparent about self-evolution, but it gives the agent broad authority to change its own behavior, skills, prompts, and memory with under-scoped triggers.

Install only if you intentionally want an agent that can propose changes to its own prompts, skills, memory, and behavior. Keep automatic and scheduled evolution disabled unless explicitly needed, review every proposed diff or module change before approval, and avoid storing sensitive conversation content in the memory or gene pool.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad, generic requests such as 'optimize myself' and 'generate 3 improvement ideas', which can activate the skill during ordinary conversations unrelated to self-modification. In a skill explicitly designed to evolve itself, this increases the chance of accidental invocation and unintended changes to agent behavior, prompts, or installed capabilities.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are broad natural-language requests such as 'optimize myself' and 'help me evolve' that can overlap with ordinary user instructions. In a self-modifying skill, this raises the chance of unintended activation and can cause the agent to begin planning changes to its own behavior or files without a narrowly scoped, explicit invocation.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The automatic triggers after task completion, user satisfaction signals, or repeated similar tasks are vague and subjective, making it easy for the skill to activate when the user did not intentionally request self-evolution. Because the skill's scope includes modifying its own configuration, creating skills, and changing prompts/workflows, ambiguous auto-invocation meaningfully increases risk.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: Periodic auto-evolution introduces recurring self-directed behavior without a clear bounded scope, rate limit, or default-off guarantee. Even with stated confirmation steps, repeated automated prompts or background evolution cycles can normalize self-modification, accumulate risky changes, and increase the attack surface over time.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The memory design broadly retains evolution inputs, user feedback, task history, and successful/failed patterns across hot/warm/cold storage and gene-pool persistence. This creates a real data retention risk because sensitive content from conversations can be stored, reused in later prompts, or exposed through summaries, logs, or derived skills without clear minimization or deletion controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal