Deep Discussion

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent discussion skill that creates local discussion artifacts, but users should avoid feeding it secrets because it saves full expert outputs.

Install only if you are comfortable with subagents seeing the discussion context and with full expert responses being saved locally under workspace/deep-discussion. Do not include passwords, tokens, private customer data, or confidential material unless you intend it to appear in those logs, and delete the generated files after use if retention matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The document explicitly instructs the assistant to automatically invoke a local `exec` command before user confirmation. Even though the command is only a config read, it normalizes autonomous shell access unrelated to the core user-visible discussion task and creates an execution pathway on the host without informed consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill requires storing complete raw expert outputs in `discussion-log.md` without any minimization, consent, or retention guidance. In a multi-agent workflow, those raw outputs can easily contain sensitive user data, proprietary content, or model-generated secrets, making persistent logging an avoidable privacy exposure.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The workflow silently creates and updates a persistent `orchestrator-state.json` file, which is a form of user/session data retention not clearly disclosed to the user. Even if the contents are operational, state files can still reveal topics, progress, timestamps, and context across resumed sessions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly requires appending each expert’s complete output to `discussion-log.md`, which creates unnecessary retention of potentially sensitive prompts, model outputs, user data, or secrets that may appear during discussion. In a multi-agent orchestration context, verbatim logging increases the chance that sensitive content is later exposed through logs, reports, or downstream reuse, especially because the requirement is mandatory and unconditional.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide repeatedly instructs the agent to append discussion content to files, but does not require notifying the user that potentially sensitive prompts and model outputs will be persisted to disk. In a multi-agent discussion workflow, these transcripts may contain confidential data, making silent storage a privacy and data-retention risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the assistant to run a system command automatically via `exec` without a user-facing warning or approval prompt. Silent command execution is dangerous because it conditions the agent to act on the local environment without transparency, which could be extended or imitated in more harmful variants.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill instructs the system to persist full discussion records and derived reports, which naturally aggregates user context and subagent outputs into durable artifacts. In a collaboration skill, this increases the blast radius of any sensitive information shared during analysis because it is copied into multiple files rather than kept transient.

Ssd 3

High

Confidence: 98% confidence
Finding: This instruction is the strongest data-handling risk in the skill: it mandates appending every expert response in full, forbids summarization, and requires persistence to `discussion-log.md`. That creates a high likelihood of wholesale disclosure of sensitive prompts, user data, proprietary analysis, or accidental secrets across the full transcript.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The orchestrator template explicitly passes `user_context` into the workflow and couples that with persistent logs and resumable state. This broad propagation of background context across subagents and files increases unnecessary disclosure risk, especially when the context may include personal, confidential, or business-sensitive details irrelevant to every expert.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instruction to append every expert’s full raw output to a shared discussion log creates a direct data exposure surface. Because expert outputs may include sensitive user-provided information, internal reasoning, confidential source material, or generated secrets, preserving all of it verbatim increases both retention risk and the blast radius of any later disclosure or report generation.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The prescribed log format preserves complete original expert responses verbatim in markdown, making sensitive content easy to copy into shared artifacts and final reports. In this skill’s context, the orchestrator later generates summaries and reports from accumulated discussion material, so storing raw content raises the likelihood of inadvertent leakage across phases, participants, or outputs.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The template explicitly requires appending each expert's complete raw output to a persistent discussion log immediately after every spawn. In a multi-agent discussion skill, experts may reproduce sensitive user inputs, secrets, proprietary content, or harmful outputs from other agents, so mandatory verbatim retention creates an unnecessary data persistence and privacy exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal