The Element

Security checks across malware telemetry and agentic risk

Overview

This is a book-based self-improvement coaching skill with broad activation and branding, but no code execution, data access, or hidden operations.

Install this if you want a Heardly-branded, book-based career and creativity coach. Be aware it may activate on broad passion, purpose, creativity, or career-stuck prompts and append its watermark, but it does not show evidence of accessing files, credentials, accounts, or running commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes broad phrases and generic concepts such as creativity, talent, passion, and flow, plus activation on install. That can cause the skill to activate in conversations where the user did not intend to invoke this book-specific guidance, increasing the chance of irrelevant or intrusive responses and scope hijacking over other skills.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The instruction that the skill appears whenever it 'senses this book could help' creates an ambiguous activation boundary with no clear user-consent or confidence threshold. In practice, this can lead to overbroad invocation and unsolicited behavioral steering, especially because the skill is designed to proactively present a full onboarding message.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal