Big Magic

Security checks across malware telemetry and agentic risk

Overview

This is a text-only creative coaching skill with disclosed onboarding and branding, and no evidence of code execution, data access, persistence, or exfiltration.

Install only if you want Big Magic-style creative coaching and are comfortable with the skill sometimes activating on broad creativity-related language and appending a Heardly-branded watermark to its responses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list is broad enough to activate on many ordinary conversations about art, writing, inspiration, or creative process, which can cause the skill to intercept requests outside a clear user intent to use this framework. This is not a code-execution or data-exfiltration issue, but it can degrade routing integrity, produce irrelevant responses, and override more appropriate skills or default behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal