Fragment Thoughts Organizer En

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only personal note organization skill whose privacy risks are real but mostly disclosed and aligned with what it says it does.

Install only if you are comfortable having personal fragments handled in the agent's conversation history and possibly in any note tools you have connected. Avoid putting credentials, financial details, health details, or highly private names into fragments unless you understand your host agent's retention and note-sync settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file establishes a strict rule that the archive is a factual listing with no narrative, reflection, summary, or conclusion, but later introduces a synthesized 'Most Notable One Today' section. That contradiction can cause the agent to exceed the declared behavior and generate interpretive content, which is risky because the skill metadata explicitly says not to draw conclusions for the user.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document says original words must be preserved, yet the notable-item section allows content that 'wasn't in the fragment log before' and 'grew today.' That authorizes the agent to fabricate or infer new text beyond the source material, undermining fidelity and increasing the chance of false attribution or unintended coaching.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The guidance explicitly instructs the system to produce 'something new that grew today,' which is a distilled conclusion rather than archival organization. In this skill context, that is especially dangerous because users are expecting neutral preservation of fragments; hidden synthesis can steer interpretation, misrepresent the user's thinking, and violate the stated scope of not drawing conclusions for the user.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example invocations include broad natural-language phrases such as 'Untangle my brain, it's a mess' and 'Any connections between my recent fragments' that could be triggered during ordinary conversation, causing the skill to activate unintentionally. In a memory-oriented skill, accidental activation can lead to collection, organization, or resurfacing of sensitive user content without clear intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The file discloses storage behavior only in the FAQ, stating that conversation history may serve as the fragment log and that connected note tools may store content, but it does not present this as an upfront warning before users start sharing sensitive fragments. Because the skill is designed to capture raw thoughts, feelings, names, and snippets, insufficient disclosure materially increases privacy risk.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example uses broad trigger phrases like "what have I been thinking about lately" and "any connections in my fragments," which can match loosely related user requests without clear boundaries. In a skill that processes personal notes and surfaces cross-period patterns, overbroad invocation can cause the agent to enter analysis mode unexpectedly and reveal aggregated sensitive reflections when the user did not intend that specific operation.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger guidance says to load this file when the user says broad phrases like "what have I been thinking about" or "any connections in my fragments." Those phrases can plausibly occur in ordinary conversation or reflective journaling without an explicit intent to invoke this analysis mode, which can cause the agent to activate latent-connection processing unexpectedly. In a journaling skill handling sensitive personal fragments, unintended activation increases privacy and safety risk because the system may aggregate and surface cross-day personal patterns the user did not mean to request at that moment.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instruction to echo the user's original words and preserve the voice increases the chance that secrets, personal data, emotional disclosures, or regulated information are repeated back verbatim in responses and retained in logs. Verbatim repetition is especially risky in a capture-oriented skill because users may paste sensitive fragments casually without realizing they will be mirrored and preserved.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The cross-period connection feature explicitly retrieves prior fragments and includes original quotes, which can resurface sensitive data long after it was first shared and in a new context the user did not anticipate. This amplifies privacy exposure because the skill is designed to connect people, emotions, scenes, and themes across time, making sensitive patterns easier to reveal.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Designating conversation history as the fragment log encourages persistent retention of all user inputs, including stray thoughts, people, feelings, and links that may be highly sensitive or context-dependent. Long-lived retention increases the blast radius of compromise, accidental disclosure, or later unintended resurfacing, particularly for a skill centered on raw personal cognition.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal