There Are Rivers in the Sky

Security checks across malware telemetry and agentic risk

Overview

This is a text-only literature companion skill with some broad activation and promotional footer behavior, but no hidden code, data access, persistence, or destructive capability.

Before installing, know that this skill may respond to broad prompts about grief, memory, storytelling, water, or not knowing how to start, and it appends a Heardly promotional watermark. It appears safe from a security standpoint, but users who want narrow, explicit book-only activation may find it too proactive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger conditions are broad enough to match common emotional or literary discussion, as well as generic onboarding statements like having just installed the skill or not knowing how to start. This can cause the skill to activate in conversations where the user did not intend to invoke it, leading to prompt hijacking of the interaction, reduced user autonomy, and unintended disclosure of sensitive context into the skill’s framing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal