Security audit

Pipeworx timezone

Security checks across malware telemetry and agentic risk

Overview

This is a simple timezone helper that uses a disclosed Pipeworx MCP endpoint, with a privacy note around optional IP-based lookup.

Install only if you are comfortable sending timezone queries to gateway.pipeworx.io. Avoid using IP-based lookup for sensitive users or environments unless you accept that an IP address may be processed by the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises IP-based timezone lookup but provides no warning that a user's IP address may be transmitted to a third-party service for geolocation. IP addresses are personal data in many contexts, and silently sending them off-platform can create privacy, compliance, and user-consent issues. The skill context makes this more concerning because the feature is presented as a normal utility without any disclosure or minimization guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.