70High
The skill allows arbitrary file path
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Brainstorming Ideas Into Designs: Help turn ideas into fully formed designs and specs through natural collaborative dialogue.
Actually does
This skill guides a user through a structured design process, exploring project context by checking local files, documentation, and recent commits. It then asks clarifying questions, proposes approaches, and presents a design, which it documents to a local markdown file and commits to git. Finally, it invokes the `writing-plans` skill to transition to implementation, and can offer a 'Visual Companion' involving a local URL for visual aids.
Skill Info
Nameobra/superpowers/brainstorming
Registrygithub
Versionf9b088f7b3a6
PURLpkg:github/obra/superpowers@f9b088f7b3a6?skill=brainstorming
Stars180,084
Installs138,800
Source
SHA-256bba47904a7f6...
SHA-11b0710979c67...
MD502d86f11c496...
TLSH9422e71bfa48...
ssdeep192:FJ44yQmb...
Size10,634 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (2)
AI Agent Traps ↗Arbitrary file write via user-defined pathhighpersistence
The skill writes design documents to a default path, but user preferences can override this. If not properly validated, this could allow an attacker to specify an arbitrary file path, leading to overwriting critical files, achieving persistence, or data exfiltration.
90% confidenceline 105
Write the validated design (spec) to docs/superpowers/specs/YYYY-MM-DD-<topic>-design.md (User preferences for spec location override this default)
Git commit capabilitymediumpersistence
The skill is designed to commit generated design documents to a git repository. This capability, if abused, could be used to inject malicious code, modify version history, or exfiltrate data through commits.
80% confidenceline 114
Commit the design document to git
Project context reconnaissancelowreconnaissance
The skill explores project context by checking files, documentation, and recent commits. While necessary for its function, this grants read access to potentially sensitive project information.
80% confidenceline 30
Explore project context — check files, docs, recent commits
Controlled invocation of other skillsinfosub agent spawning
The skill invokes specific other skills ('writing-plans', 'elements-of-style') as part of its workflow and explicitly forbids invoking others. This demonstrates controlled sub-agent spawning, which is part of its intended design.
90% confidenceline 66
Invoke the writing-plans skill ... Do NOT invoke frontend-design, mcp-builder, or any other implementation skill. The ONLY skill you invoke after brainstorming is writing-plans.
Human-in-the-loop local URL promptlowsocial engineering
The skill prompts the user to open a local URL for a visual companion. While transparent, this mechanism could be socially engineered if the agent's output or the content of the local URL were maliciously controlled.
70% confidenceline 152
(Requires opening a local URL)
Version History (4)
Dependencies (1)
superpowers.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/brainstorming)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/brainstorming"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/brainstorming.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/brainstorming.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow