Thought Mining

Security checks across malware telemetry and agentic risk

Overview

This is a writing-coach skill that uses guided conversation and optional web searches for fact-checking, with no code execution, install script, credentials, or hidden data access.

Before installing, be aware that the skill may use web search during fact-checking, so avoid putting confidential unpublished ideas or sensitive personal details into search-oriented prompts. Use the explicit skill name if you want to avoid broad writing-help triggers starting the full workflow unexpectedly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases include common expressions such as '帮我整理想法' and '写不出来', which are likely to appear in ordinary conversation outside the intended skill scope. This can cause accidental activation, leading the agent to switch into this workflow unexpectedly and potentially override the user's actual intent or conversational context.

Vague Triggers

Low

Confidence: 86% confidence
Finding: The activation guidance lists startup keywords and a generic dialogue template but does not define when the skill should not activate or how to distinguish this skill from normal writing help requests. Without exclusion conditions, the skill may engage in contexts where the user wanted lightweight assistance rather than a multi-stage process.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal