Back to skill

Security audit

Weave

Security checks across malware telemetry and agentic risk

Overview

This skill is a clear Weave CLI helper for crypto invoice workflows, with normal payment and install cautions but no evidence of hidden or harmful behavior.

Before installing, verify that the Weave CLI package source is one you trust. Before running create or quote commands, confirm the asset, network, amount, wallet address, refund address, and invoice ID. Provide only buyer details needed for the invoice, and never share private keys, seed phrases, JWTs, API tokens, or other secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
94% confidence
Finding
The script writes search results to a predictable, fixed path in /tmp (/tmp/weave-security-check.out) and later reads from it. On multi-user systems this creates a classic temporary-file race/symlink risk: another local user could pre-create or replace that path to influence output, cause unintended file overwrites, or redirect writes to another file accessible by the script's privileges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.