Innovation Assistant by TRIZ

Security checks across malware telemetry and agentic risk

Overview

This TRIZ skill appears intended to use remote analysis services, but it also sends potentially sensitive invention details to external TRIZ and image-generation endpoints without clear user consent or narrow scoping.

Install only if you are comfortable sending TRIZ problem statements, solution summaries, and image prompts to the referenced remote services. Avoid using it with confidential inventions, trade secrets, regulated data, customer data, credentials, or export-controlled technical details unless the endpoints and retention terms are approved by your organization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares shell-based tool invocations (`bash scripts/...`) and requires `curl`/`jq`, but no explicit permissions model is declared. That creates a capability/expectation gap: an agent or platform may expose shell execution without clear user awareness or policy gating, increasing the risk of unintended command execution and outbound network access. The risk is somewhat moderated because the skill openly documents external API use and appears intended to call a specific service, but undeclared shell capability still expands attack surface.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script adds a remote image-generation capability that is not reflected in the skill's stated TRIZ analysis purpose, creating a capability/manifest mismatch. Hidden or undocumented networked features are dangerous because they expand the skill's effective behavior and can cause users or reviewers to underestimate what data is sent off-platform.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This skill is described as an analytical TRIZ assistant, but the script invokes a remote image_generation tool, which is not obviously necessary for that purpose. Unjustified remote capabilities increase attack surface and may enable unexpected data handling or feature abuse beyond user expectations.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The description uses very broad applicability terms such as innovation, problem solving, optimization, and technical breakthroughs, which can cause the skill to be invoked in many contexts beyond its narrowly appropriate use. Over-broad routing increases the chance that users provide sensitive technical or business data to a workflow that transmits content to an external service, making accidental data exposure more likely. The privacy warning reduces but does not eliminate this risk because invocation may happen before a user appreciates the external data flow.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to automatically send each selected solution's idea_summary to an external image-generation tool and then display the returned image URLs, but it provides no user disclosure, consent step, or data-minimization guidance. Because the summaries are derived from user-selected problem descriptions, this can unintentionally transmit sensitive proprietary or confidential technical information to an external service and expose users to unvetted remote content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script takes user-supplied problem data and posts it to a remote service without any explicit notice, confirmation, or data-classification guard. In this skill's context, problem descriptions may contain proprietary R&D details, making silent exfiltration to an external endpoint a real confidentiality risk even if the transmission is part of intended functionality.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script sends user-supplied idea_id and image_description to an external HTTPS endpoint without any user-facing disclosure, consent, or data-classification check. This is risky because users may provide sensitive invention details or proprietary information, which would then be transmitted to a remote service unexpectedly.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script transmits arbitrary user-supplied input to a remote third-party MCP endpoint but provides no disclosure, consent prompt, or warning that local data entered on the command line will leave the host. This is a real data-exposure issue because users may pass sensitive problem statements, proprietary technical details, or credentials assuming the script operates locally, and the TRIZ analysis context makes such sensitive engineering content especially likely.

External Transmission

Medium

Category: Data Exfiltration
Content: exit 1 fi curl -s -X POST "$MCP_URL" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ --data "$(jq -n \
Confidence: 95% confidence
Finding: curl -s -X POST "$MCP_URL" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ --data

External Transmission

Medium

Category: Data Exfiltration
Content: exit 1 fi curl -s -X POST "$MCP_URL" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ --data "$(jq -n \
Confidence: 93% confidence
Finding: curl -s -X POST "$MCP_URL" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ --data

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal