When to Use

Name: self-improving
Author: ivangdavila

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

70High

This self-improving skill autonomously modifies critical

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

When to Use: User corrects you or points out mistakes. You complete significant work and want to evaluate the outcome. You notice something in your own output that could be better. Knowledge should compound over time without manual maintenance.

Actually does

This skill manages a local knowledge base by reading and writing markdown files within `~/self-improving/` and potentially workspace files like `AGENTS.md`, `SOUL.md`, and `HEARTBEAT.md`. It processes user corrections and self-reflections to update its tiered memory system. It does not call external binaries, make network requests, or access data outside its designated directories.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning2 findings

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamics2 findings

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameivangdavila/self-improving

Registryclawhub

Version1.2.16

PURLpkg:clawhub/ivangdavila/self-improving@1.2.16

Stars962

Downloads162,982

Installs1,885

Source

Repository ↗

SHA-25611109b39d0f7...

SHA-1e849df6aee67...

MD592f284efadfe...

TLSHae02f62deda8...

ssdeep192:1AGpr2B3...

Size8,582 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/ivangdavila/self-improving

162,982 downloads1,885 installs

ClawHubDocs

openclaw skills install ivangdavila/self-improving

Assessments (5)

AI Agent Traps ↗

Agent config manipulation & persistencehighmemory poisoning

The skill is designed to modify critical workspace configuration files (`AGENTS.md`, `SOUL.md`, `HEARTBEAT.md`) to 'add standard self-improving steering.' This allows it to alter the behavior and memory of other agents, potentially establishing persistence for recurring tasks via `heartbeat-rules.md` or influencing how other agents are invoked.

100% confidenceline 18

Workspace setup should add the standard self-improving steering to the workspace AGENTS, SOUL, and `HEARTBEAT.md` files, with recurring maintenance routed through `heartbeat-rules.md`.

Arbitrary command execution via setup scriptmediumcommand execution

The skill explicitly states that it will 'run `setup.md`' if its primary directory does not exist. This mechanism allows for the execution of arbitrary commands defined within `setup.md`, posing a significant security risk if the script is compromised or contains malicious instructions.

100% confidenceline 17

If `~/self-improving/` does not exist, run `setup.md`.

Unbounded Autonomous File System Operationsmediumautonomy abuse

The skill prescribes fully autonomous creation, modification, promotion, demotion, archival, and compaction of files without requiring user confirmation for most operations. Only deletion triggers a confirmation gate. This gives the skill broad autonomous write access to the filesystem.

70% confidenceline 55

Log automatically when you notice these patterns... Never delete without asking (deletion is the only gated action; writes, promotions, demotions are automatic)

Implicit Sub-Skill Installation Without Full Confirmationmediumsub agent spawning

The skill references optional installation of additional skills (memory, learning, decide, escalate, Proactivity) via clawhub install, and the setup flow can trigger this. The 'if user confirms' qualifier is present but the skill's proactive follow-through design may proceed with minimal friction.

55% confidenceline 172

Install with clawhub install <slug> if user confirms... Optional installation of the Proactivity skill may require network access

Misleading scope and capability disclosurehighdescription mismatch

The 'Scope' section explicitly states the skill 'NEVER ... Reads files outside `~/self-improving/`' and 'NEVER ... Makes network requests.' These claims directly contradict earlier statements about interacting with `AGENTS.md`, `SOUL.md`, `HEARTBEAT.md` (which are external) and the potential for network access during optional skill installations. This discrepancy can mislead users or automated analysis about the skill's true operational boundaries.

100% confidence

This skill NEVER: ... Reads files outside `~/self-improving/`" vs. `configPaths.optional:["./AGENTS.md","./SOUL.md","./HEARTBEAT.md"]` and "Workspace setup should add the standard self-improving steering to the workspace AGENTS, SOUL, and `HEARTBEAT.md` files." Also, "This skill NEVER: ... Makes network requests" vs. "Optional installation of the `Proactivity` skill may require network access".

Weak security boundary enforcementlowrag poisoning

The skill relies on a `boundaries.md` file to define security guidelines (e.g., 'never store credentials'). However, there's no active enforcement mechanism within the skill to prevent the agent from processing or storing sensitive data if prompted, making it vulnerable to manipulation.

80% confidenceline 205

Security Boundaries: See `boundaries.md` — never store credentials, health data, third-party info.

RAG/Memory Poisoning via Pattern Promotionhighrag poisoning

The automatic promotion mechanic (3 repetitions → promoted to HOT memory, always loaded) can be abused by an attacker who repeats a malicious instruction three times in conversation to get it permanently embedded as a HOT-tier rule that is loaded in every future session.

80% confidenceline 128

Pattern used 3x in 7 days → promote to HOT... After 3 identical lessons → ask to confirm as rule

Indirect Prompt Injection via Stored Memory Fileshighprompt injection

Memory files (memory.md, corrections.md, projects/*.md, domains/*.md) are loaded back into the agent's context on subsequent sessions. If an attacker can influence what gets written to these files (e.g., through carefully crafted 'corrections'), they can inject prompt instructions that are re-read as authoritative agent memory in future sessions.

78% confidenceline 147

HOT (always loaded): memory.md... Every action from memory → cite source... Load only memory.md (HOT)

Supply chain risk via related skill installationlowsupply chain

The skill promotes the installation of 'Related Skills' using `clawhub install <slug>`. While user confirmation is required, this mechanism could be exploited to recommend or facilitate the installation of malicious or compromised skills, leading to broader system compromise or the introduction of attacker-controlled sub-agents.

80% confidenceline 240

Install with `clawhub install <slug>` if user confirms:

Autonomy Escalation via 'Escalate' Skill Referencemediumautonomy abuse

The related skill 'escalate' is described as teaching the agent to 'Know when to ask vs act autonomously'. Combined with the self-improving skill's learned patterns, this could compound into the agent increasingly acting without user confirmation as it 'learns' to prefer autonomous action.

50% confidenceline 178

escalate — Know when to ask vs act autonomously

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/ivangdavila/self-improving.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/ivangdavila/self-improving)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/ivangdavila/self-improving"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/ivangdavila/self-improving.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/ivangdavila/self-improving.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow