Security audit

Pipeworx disify

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward remote email/domain validation helper, with no hidden install behavior or persistence found.

Install only if you are comfortable sending the email addresses or domains you check to Pipeworx's remote Disify service. Avoid using it with sensitive, regulated, or bulk customer data unless your organization has reviewed Pipeworx's privacy, logging, and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example explicitly sends a user-provided email address to a third-party remote API, but the skill does not clearly warn users that this data leaves the local environment. Email addresses are personal data in many contexts, so silent external transmission can create privacy, compliance, and trust risks if operators assume validation is local-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal