Core Brainstorming

Security checks across malware telemetry and agentic risk

Overview

This brainstorming skill is not malware-like, but it can trigger too broadly and tells the agent to write and commit project documentation without explicit approval.

Review this before installing if you do not want a planning skill to run for routine creative or coding work. If you use it, require explicit approval before writing docs or making git commits, and translate/review the Chinese instructions if that is not your working language.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation text says this skill 'must be used before any creative work' and then lists very broad examples, which can cause the agent to invoke it in many unrelated situations. Overly broad mandatory routing can override more appropriate skills or user intent, creating control-flow ambiguity and increasing the chance of unnecessary file inspection, git actions, or premature process enforcement.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill content is entirely in Chinese and does not offer a language choice or document a justified locale restriction. This can cause unsafe misunderstanding of instructions, user intent, or generated plans when the surrounding environment or user operates in another language, reducing transparency and reviewability rather than directly enabling code execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal