The Creative Act

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk creativity guidance skill with no executable code, credentials, persistence, or data access.

Installers should know this skill may activate on broad creativity-related prompts and appends a Heardly App watermark to outputs. It does not appear to run code, access private data, use credentials, or modify the environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger guidance is extremely broad, covering generic terms like 'creativity,' 'art,' 'ideas,' and 'inspiration' that commonly appear in ordinary conversation. This can cause the skill to activate outside user intent, leading to unwanted instruction injection into unrelated chats and increasing the chance that a less relevant or lower-priority skill hijacks the interaction.

Vague Triggers

Low

Confidence: 89% confidence
Finding: The invocation rules specify many positive triggers but provide no clear boundaries for non-activation, so the router has little guidance for avoiding accidental matches. In practice, this increases ambiguous routing and can surface the skill in contexts where users are discussing creativity generally rather than seeking this book's methodology.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal