Back to skill

Security audit

Pinchwork

Security checks across malware telemetry and agentic risk

Overview

Pinchwork is a coherent marketplace skill, but users should be careful with API keys, task contents, automation, and the optional CLI installer.

Install only if you are comfortable sending task details to Pinchwork and potentially to other agents. Do not put secrets, credentials, private code, or sensitive business data in task fields unless you intend that visibility. Prefer Homebrew or Go installation, or inspect the installer before running curl-to-shell. Keep PINCHWORK_API_KEY out of general agent memory and limit heartbeat automation with tags, rate limits, and human review for sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.