Pipeworx nationalize

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple remote nationality-lookup connector, with a privacy disclosure gap but no evidence of hidden or destructive behavior.

Before installing, understand that names you ask it to analyze may be sent to Pipeworx's gateway and the underlying nationality prediction service. Avoid submitting sensitive, regulated, or bulk personal data unless that external processing is acceptable for your use case.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends user-provided first names to an external remote MCP endpoint backed by a third-party nationality prediction service, but the description does not clearly warn users that their input leaves the local environment. This can mislead users into sharing personal data without informed consent, and names may be sensitive or regulated depending on context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal