70High
The skill grants broad file system and git access,
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Brainstorming Ideas Into Designs: Help turn ideas into fully formed designs and specs through natural collaborative dialogue.
Actually does
This skill guides a structured design process, starting by exploring local project files, documentation, and recent commits. It engages in clarifying questions, proposes design approaches, and then documents the approved design by writing to a local Markdown file (`docs/superpowers/specs/YYYY-MM-DD-<topic>-design.md`) and committing it. It concludes by invoking the `writing-plans` skill and can offer a 'Visual Companion' that involves opening a local URL for visual aids.
Skill Info
Nameobra/superpowers/brainstorming
Registrygithub
Versionc4bbe651cb1b
PURLpkg:github/obra/superpowers@c4bbe651cb1b?skill=brainstorming
Stars180,084
Installs138,800
Source
SHA-256bba47904a7f6...
SHA-11b0710979c67...
MD502d86f11c496...
TLSH9422e71bfa48...
ssdeep192:FJ44yQmb...
Size10,634 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (2)
AI Agent Traps ↗Arbitrary File Write via User-Controlled Pathhighpersistence
The skill states that 'User preferences for spec location override this default' for writing design documents. If not properly sanitized, this could allow an attacker to specify an arbitrary file path, leading to overwriting critical system files or writing to sensitive directories.
90% confidenceline 112
(User preferences for spec location override this default)
Broad File System and Git Accessmediumreconnaissance
The skill is instructed to 'check files, docs, recent commits' and 'Commit the design document to git'. This grants broad read/write access to the file system and git, which could be abused for reconnaissance or data exfiltration if the agent's instructions are manipulated.
80% confidenceline 30
Explore project context — check files, docs, recent commits
Potential for Malicious Content in Visual Companionlowsocial engineering
The 'Visual Companion' feature involves 'opening a local URL' to display content. If the agent can be manipulated to generate malicious content or point to a malicious local resource, it could be used for social engineering or to exploit browser vulnerabilities on the user's machine.
60% confidenceline 152
Requires opening a local URL
Version History (4)
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/brainstorming)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/brainstorming"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/brainstorming.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/brainstorming.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow