Security audit

creative-thought-partner

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only creative coaching skill that fits its stated purpose, though it may save local session transcripts users should treat as persistent notes.

Install this only where saving creative-session notes is acceptable. Avoid sharing secrets, sensitive personal information, or proprietary business details unless you are comfortable with the conversation being written to a local transcript file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The description is broad enough to trigger on many ordinary brainstorming or writing-related requests, which can cause the skill to activate when the user did not explicitly ask for it. Over-broad routing is a security and safety issue because it increases unintended prompt injection surface and may steer unrelated conversations into this skill's behavior and file-writing workflow.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to export a full transcript and session notes to a file, but it does not tell the user that their conversation will be retained or ask for consent before saving. This creates a real privacy risk because sensitive brainstorming content, personal details, or proprietary ideas may be written to storage unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal