Pipeworx bluesky

Security checks across malware telemetry and agentic risk

Overview

This mostly read-only Bluesky skill is coherent, but its optional search setup asks users to put a Bluesky app password in a gateway URL.

Use the anonymous public tools freely if you trust the gateway. Avoid configuring search_posts with your main Bluesky credentials; if you need it, create a dedicated Bluesky app password, treat the configured URL as secret, and rotate or revoke the password after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation explicitly instructs users to place Bluesky credentials in URL query parameters. Secrets in URLs are commonly exposed via browser history, shell history, proxy/server logs, monitoring systems, referrer leakage, and downstream tooling, making credential compromise materially more likely.

Ssd 3

Medium

Confidence: 98% confidence
Finding: This is a real secret-handling weakness: the skill tells users to embed an app password directly in the gateway URL. Even over HTTPS, URLs are frequently logged or retained by clients and infrastructure, so the skill increases the chance of accidental disclosure of reusable credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal