Felo Mindmap

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate Felo mindmaps as advertised, but it needs review because an undocumented endpoint override could send prompts and the API key somewhere other than the documented Felo API.

Install only if you are comfortable sending mindmap prompts to Felo. Confirm FELO_API_BASE is unset or points to the official Felo API before use, protect FELO_API_KEY, and avoid using this skill with secrets, regulated data, or confidential internal content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to send user-provided query content to the Felo Mindmap API and configure an API key, but it does not disclose that the skill transmits data to an external third-party service. In an agent context, users may assume content is handled locally; this omission can lead to unintended disclosure of sensitive prompts, notes, or proprietary information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly directs sending `USER_PROMPT_HERE` to the external Felo Mindmap API, but it does not require any user-facing disclosure or consent before transmitting potentially sensitive prompt contents off-platform. In an agent setting, users may reasonably assume their input stays local unless told otherwise, so this creates a real data exfiltration/privacy risk if prompts contain secrets, proprietary information, or personal data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal