Think Cog

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed CellCog brainstorming integration, but users should avoid sending sensitive information to the external service.

Install only if you trust CellCog and are comfortable using a CellCog API key. Treat prompts and follow-up messages as information shared with a third-party service, use a revocable key when possible, and avoid including credentials, customer data, regulated information, or confidential plans unless you have authorization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill positions itself for generic discovery-mode tasks like 'brainstorming' and 'help me figure out X,' which can cause it to trigger on very common user intents. That creates an unnecessary routing surface where users may invoke an external third-party service for ordinary thinking tasks without realizing it, increasing the chance of unintended data disclosure or inappropriate delegation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guidance tells users to 'share context generously' and provide constraints without any warning to avoid secrets, personal data, proprietary information, or regulated data. Because this skill sends prompts to an external service and encourages iterative back-and-forth sharing, it materially increases the likelihood of oversharing sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal