深度思考协议

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed deep-reasoning/checklist skill with no hidden execution or exfiltration, but it may expose or locally save sensitive context if used carelessly.

Install only if you want a verbose reasoning aid. Do not use it with secrets, confidential business plans, private personal data, or production credentials unless you are comfortable with that content appearing in visible reasoning or an optional local report. Keep any suggested shell, web, memory, or file access under explicit user control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Tainted flow: 'filename' from input (line 353, user input) → open (file write)

Medium

Category: Data Flow
Content: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") filename = f"thinking_report_{timestamp}.json" with open(filename, 'w', encoding='utf-8') as f: json.dump(report, f, ensure_ascii=False, indent=2) print(f"\n报告已保存到: {filename}")
Confidence: 90% confidence
Finding: with open(filename, 'w', encoding='utf-8') as f:

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to produce a 'comprehensive, natural, unfiltered' thinking process and place it in a visible or recorded block. That creates a direct chain-of-thought disclosure risk, which can leak sensitive user data, hidden policy reasoning, or intermediate analysis that should remain private.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: Telling the assistant that the final response should include all useful thoughts collapses the separation between private deliberation and user-visible output. This increases the chance of exposing sensitive intermediate content, speculative analysis, or policy-governed reasoning that should be filtered before disclosure.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The examples for a reasoning-oriented skill include concrete operational commands such as curl, git, mysql, jstack, and an agent-style `openclaw exec` invocation. That expands the apparent capability of the skill from analysis into system interaction and command execution, which can normalize unsafe behavior and cause downstream agents or users to run sensitive diagnostic commands in production without appropriate guardrails.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This reference for a reasoning-focused skill explicitly encourages use of exec and web_search, which expands the agent from analysis into system access and external network interaction without clear task-bound safeguards. In a 'deep thinking' skill, that broad tool guidance can normalize unnecessary capability use, increasing the risk of command execution, data exposure, or untrusted external content influencing outputs.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger description is broad enough to apply to many ordinary interactions involving analysis, technical questions, or decision support. Overbroad activation increases the blast radius of the unsafe reasoning-disclosure instructions, causing the skill to engage in contexts where private reasoning and data minimization matter.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persists a detailed report containing user-supplied problem description, stakeholders, constraints, and success criteria to disk without warning about sensitivity, minimization, or storage protections. In the context of a deep-thinking assistant, these inputs may include strategic, technical, or personal data, so silent persistence increases the risk of unintended disclosure through local file access, backups, syncing, or shared environments.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The requirement to expose detailed internal reasoning creates a natural-language data exfiltration path. If the model processes secrets, personal data, hidden prompts, or sensitive evidence during analysis, those details may be reproduced in the visible thought block or echoed back to the user.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The protocol tells the assistant to restate the user's information as part of the thought process, which becomes risky when combined with later directions to include useful thoughts in final output. This can unnecessarily replicate sensitive user content, increasing disclosure risk and violating data-minimization principles.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal