Lean Thinking

Security checks across malware telemetry and agentic risk

Overview

This skill provides Lean Thinking guidance and onboarding text, with no executable code or sensitive access, though its activation wording is broad.

Install this if you want Lean Thinking guidance. Be aware it may activate on general process-improvement or onboarding language and will append Heardly branding/watermark text to responses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill is configured to trigger not only on lean-specific phrases but also when a user says they just installed the skill or does not know how to start. That broad onboarding condition can cause unsolicited invocation in contexts unrelated to Lean Thinking, increasing the chance of wrong-skill activation, user confusion, and unintended instruction injection into unrelated conversations.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The phrase 'I'll show up whenever I sense this book could help' uses subjective, ambiguous matching language rather than clear invocation boundaries. In agent systems, vague routing criteria can lead to over-triggering and accidental activation on loosely related operational-improvement queries, expanding the skill's reach beyond intended scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal