Security audit

Pipeworx chucknorris

Security checks across malware telemetry and agentic risk

Overview

This is a simple joke-fetching skill with disclosed remote calls and no evidence of credential access, local file access, persistence, or destructive behavior.

Safe to install for casual use. Be aware that joke results may include explicit or offensive content, and do not use private text or secrets as search keywords because requests go to a third-party gateway. Use the optional npx MCP setup only if you are comfortable running mcp-remote from npm.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly lists an "explicit" category but does not warn users that returned content may include offensive or adult jokes. This can lead to unexpected exposure to inappropriate content in user-facing applications, especially where moderation, age gating, or workplace-safety expectations apply.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal