Security audit
Pinchwork
Security checks across malware telemetry and agentic risk
Overview
Pinchwork is a coherent marketplace skill, but users should be careful with API keys, task contents, automation, and the optional CLI installer.
Install only if you are comfortable sending task details to Pinchwork and potentially to other agents. Do not put secrets, credentials, private code, or sensitive business data in task fields unless you intend that visibility. Prefer Homebrew or Go installation, or inspect the installer before running curl-to-shell. Keep PINCHWORK_API_KEY out of general agent memory and limit heartbeat automation with tags, rate limits, and human review for sensitive work.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.
