Firstprinciples thinking

Security checks across malware telemetry and agentic risk

Overview

This reasoning skill appears to save and index user problem content locally without clear disclosure or controls.

Review before installing. Use it only if you are comfortable with your reasoning prompts and derived analysis being saved locally, and avoid entering credentials, private business data, or personal information unless the skill adds clear opt-in, storage location, retention, export, and deletion controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill manifest declares no permissions, yet the static analyzer detected file read/write capabilities. That mismatch can allow persistent local data access without transparent user or platform awareness, which expands the attack surface and can enable unauthorized storage or retrieval of sensitive information.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared skill purpose is purely reasoning assistance, but the detected behavior includes persistent case storage, indexing, rescoring, export, and knowledge-base maintenance. This hidden functionality is dangerous because users may disclose sensitive strategic, personal, or business information to a reasoning skill without realizing it is being retained and organized on disk for later reuse.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill defines persistent storage paths for cases, exports, and patterns under the user's home directory, which exceeds a pure 'reasoning-only' capability and creates a durable data retention surface. Even though the paths are local and not inherently exfiltrating data, they enable silent accumulation of user-derived content and metadata that may be sensitive or unexpected in the context of a thinking aid.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code actively creates directories and writes local JSON/Markdown files, meaning the skill performs stateful filesystem modification rather than transient reasoning. In a skill advertised as first-principles thinking, this hidden persistence can capture prompts, titles, scores, and timestamps over time, increasing privacy risk and violating least surprise.

Context-Inappropriate Capability

Low

Confidence: 81% confidence
Finding: The append/index/pattern archival functions create additional derived records of case metadata in Markdown files, broadening the number of places sensitive or identifying information may persist. This is lower severity than arbitrary code execution, but it increases data footprint and makes accidental disclosure more likely, especially because titles and pattern candidates are written verbatim.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script stores the full user-supplied problem text and derived analysis to persistent storage, then prints the resulting case object to stdout without any notice, consent flow, redaction, or sensitivity checks. If users provide confidential business data, credentials, personal data, or proprietary prompts, this creates an unintended disclosure and retention risk through local files, logs, terminal history, or upstream orchestration systems that capture stdout.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The code creates user-local storage directories and initial files without any visible disclosure or consent mechanism in this implementation. While local file creation is not inherently malicious, undisclosed persistence in a reasoning skill is risky because users may assume their inputs are ephemeral when they are not.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: These append operations write case IDs, titles, scores, promotion status, timestamps, and reusable pattern text into Markdown files without any evident warning. Because the fields are written verbatim, user-supplied or model-generated sensitive content may be duplicated into browsable index files, making privacy leaks and unintended retention more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal