Back to skill

Security audit

self-improving agent

Security checks across malware telemetry and agentic risk

Overview

This skill keeps local learning notes and can optionally scan ended OpenClaw sessions for error snippets, but those behaviors are disclosed, local, and aligned with its purpose.

Install only if you want persistent local learning logs and optional OpenClaw hook behavior. Keep .learnings out of version control, review entries before sharing a workspace, and avoid enabling the hook in sessions that may contain credentials, customer data, or other sensitive transcript content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and documents shell commands, hook installation, transcript sweeping, and cross-session features that imply filesystem, environment, and potentially network access, but it does not declare permissions or narrowly scope those capabilities. In practice this weakens user/operator understanding of what the skill can touch, increasing the chance of over-trusting a skill that can read or propagate sensitive workspace data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose is lightweight learning capture, but the body adds materially broader behavior: hook-based bootstrap injection, automatic transcript scanning, auto-writing error triage entries, and reusable skill extraction. This mismatch can mislead users into enabling a skill with persistence and session-inspection behavior they did not reasonably expect, which is especially risky for transcripts that may contain secrets or sensitive project context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly promotes use of session listing, transcript reading, message sending, and session spawning across sessions. Even with a warning to use trusted environments, exposing transcript access and inter-session sharing expands the data exposure surface and can leak sensitive context between tasks, users, or trust zones if invoked carelessly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation criteria are very broad and map to common development situations such as failures, corrections, outdated knowledge, or discovering a better approach. That makes accidental invocation likely, which matters here because the skill can write logs, influence persistent memory, and suggest broader actions like promotion or cross-session sharing.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases overlap heavily with ordinary conversational language such as 'Can you also...' or 'Actually...'. In a skill that persists data and may shape future behavior, loose trigger matching can capture unintended content, create noisy or sensitive logs, and cause the agent to take actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The hook automatically scans prior session transcripts and persists matched excerpts into `.learnings/ERRORS.md`, which creates a secondary copy of conversation/tool output data on disk. Although the code attempts redaction and mentions truncation, the write path has no explicit consent, notice, or policy gate beyond the presence of `.learnings/`, so sensitive content from transcripts may still be retained unexpectedly if redaction misses secrets or private data.

Session Persistence

Medium
Category
Rogue Agent
Content
## Opt-In and Safety

- The sweep only runs when `<workspace>/.learnings/` exists — create that
  directory to enable it, delete it to disable it
- `ERRORS.md` is created only if missing and is otherwise appended to, never
  overwritten
Confidence
90% confidence
Finding
create that directory to enable it, delete it to disable it - `ERRORS.md` is created only if missing and is otherwise appended to, never overwritten - Excerpts are truncated to 200 characters and

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.