Back to skill

Security audit

thinking-model-enhancer

Security checks across malware telemetry and agentic risk

Overview

This does not look like malware, but it automatically stores thinking-session content and local state in ways users should review before installing.

Install only if you are comfortable with a thinking assistant keeping local history under ~/.claude/thinking_models. Review or disable auto-store behavior, avoid using it with secrets or sensitive business data, and periodically inspect or delete the stored JSON history if you proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while its content describes capabilities that imply file access, persistence, networking, and shell usage. This creates a transparency and governance gap: users or platforms may invoke a skill with materially broader effective behavior than its manifest suggests, increasing the chance of unintended data access, persistence, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose presents the skill as a generic thinking aid, but the described behavior extends into persistent local storage, automated triggers, command interfaces, template/model management, and initialization actions. This mismatch is dangerous because it can conceal operational side effects and broaden the attack surface beyond what a user would reasonably consent to, especially with memory persistence and automated execution paths.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The performance tracker persists user-derived execution telemetry, including problem type, truncated problem content, timestamps, and result summaries, to a file in the user's home directory. Even though this appears intended for diagnostics, it creates an undisclosed local data retention channel that can expose sensitive prompts or workflow metadata if the host is shared, backed up, or later accessed by other tools.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module automatically creates and mutates configuration files under the user's home directory, which expands the skill from 'enhancement' into persistent system state modification. This is risky because it can silently change future behavior, create hidden state, and interfere with user expectations or other components that read the same configuration path.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The trigger system supports automatic rule matching that can switch modes and execute associated actions based solely on text input, with default rules enabled. In an agent skill context, unsolicited automatic behavior can cause prompt-driven state changes or workflow activation without explicit user confirmation, increasing the risk of unintended actions and covert behavior changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module records and persists entire session dictionaries to disk, including fields such as user_input, result summaries, insights, and improvements, then uses them for cross-session learning. This creates unnecessary retention of potentially sensitive conversation content beyond what is required for model optimization, increasing privacy and data exposure risk if local files are accessed by other users, tools, or backups.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The SessionData structure explicitly includes raw user_input and detailed session history fields that are later serialized and stored. For a thinking-model enhancement skill, retaining full plaintext inputs is broader than necessary and may capture secrets, personal data, or proprietary information from prior conversations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module creates a persistent local memory store under the user's home directory and retains detailed model snapshots beyond transient comparison needs. In an agent skill context, long-term storage of problem summaries, outputs, ratings, and findings can capture sensitive prompts or results without clear minimization or retention controls, increasing privacy and data-exposure risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The similarity-query path relies on loading full historical snapshots that include full problem summaries and output summaries, not just reduced metadata or embeddings. This increases the chance that sensitive user inputs, model conclusions, or derived secrets are retained and later exposed through local access, debugging, backup systems, or other components reading the memory directory.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module and method documentation state that the skill integrates with a memory system, but the implementation only uses hardcoded sample data and explicitly notes that storage is not actually performed. This creates a security-relevant integrity issue because downstream agents or operators may rely on persistent memory, historical comparison, or continuous enhancement behavior that does not exist, leading to unsafe decisions based on false assumptions about system capabilities and auditability.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a memory-integrated enhancement component, but the core implementation is only a local heuristic simulator with fixed models and no true memory access or learning loop. In an agentic context, this misrepresentation is dangerous because other components may trust its outputs as informed by prior state, causing incorrect automation decisions, broken governance expectations, and loss of traceability.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage text says the skill acts 'when triggered' but never defines what inputs, permissions, or trigger conditions are allowed. For a skill that selects models, integrates with memory, and executes a decision process, ambiguous invocation boundaries can cause the agent to over-apply the skill, access memory in unintended contexts, or bypass safer specialized workflows.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation condition 'when user requests improved decision-making, enhanced thinking models, or when comparing and integrating thinking approaches' is broad enough to match many ordinary conversations. Overbroad invocation criteria can cause the skill to activate unexpectedly and apply memory, research, or troubleshooting behaviors in contexts where the user did not intend those operations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The 'When to use' section lists generic scenarios like improving decision-making or analyzing frameworks without constraints, which encourages activation in ambiguous contexts. In a skill that also references memory integration and external information gathering, vague scope increases the likelihood of unnecessary data access or unintended workflow execution.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The auto-detection logic relies on keyword triggers, and the documented trigger terms are Chinese-only for some categories without clear user choice or multilingual safeguards. Trigger-based activation is already risky; coupling it to opaque language-specific terms makes invocation less predictable and can cause unintended mode selection, especially if downstream behaviors include memory access, external research, or troubleshooting actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill declares broad automatic activation triggers such as 'improved decision-making' and 'optimizing decision-making processes,' which are common phrases in ordinary user requests. This can cause the skill to run unexpectedly, expanding its access to user context and memory features without clear user intent or consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file states that the skill will automatically integrate with existing memory systems and elsewhere describes retrieving, comparing, and storing prior thinking models, but it does not warn users about what data may be accessed, retained, or reused. This creates a privacy and data-governance risk because the skill may process sensitive historical context without informed consent or clear boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Run completion handling writes user-derived metadata to disk without any consent, warning, or privacy control in this file. Because stored fields include problem type, partial problem text, timestamps, model names, and summaries, the tracker can leak sensitive usage data and create compliance/privacy issues even without remote exfiltration.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The configuration manager creates and writes configuration files in the home directory automatically, without informing the user in this module. While lower severity than telemetry capture, this still establishes hidden persistent state and may surprise users or violate expectations in environments where local writes should be explicit.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When triggers match, the code updates last_triggered timestamps and persists rule state to disk automatically, creating hidden persistent state from ordinary user input. In a skill environment, silent persistence can be abused for behavior tracking, covert statefulness, or configuration changes that users neither expect nor notice.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The session recording flow appends session data to a persistent JSON file without any visible disclosure, consent, or opt-in mechanism. Silent persistence of conversation-derived data can violate user expectations and increases the risk of unnoticed long-term retention of sensitive information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Learned patterns derived from session content are saved to disk automatically, again without any user-facing disclosure. Even if summarized, these patterns may still embed sensitive details from user content in descriptions, conditions, or actions and can leak information across sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The interface allows deletion of stored history immediately based on a text command, with no confirmation prompt, preview, or authorization check. In a memory-integrated assistant, this creates a real integrity risk because a mistaken or injected command can silently destroy historical records that may be needed for auditability, debugging, or user continuity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code automatically stores thinking results after processing without any user-facing notice at the point of collection. Because this skill explicitly integrates with a memory system, users may unknowingly submit sensitive problem descriptions that become persisted, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Snapshot files are written directly to local disk with no user-facing notice or consent flow, even though they may contain problem summaries, output summaries, findings, timestamps, and ratings. In a thinking-assistant skill, users may reasonably expect ephemeral processing, so silent persistence creates a privacy and transparency failure that can lead to unintended retention of sensitive content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.