Weights & Biases Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-oriented Weights & Biases monitor, with expected credential use and some metadata-disclosure cautions but no evidence of malicious behavior.

Install only if you are comfortable letting the agent use your W&B-authenticated environment to read and display run data. Pass explicit entity, project, and run arguments; avoid no-argument watch mode unless the hardcoded defaults are intended, and avoid storing secrets in W&B configs or summaries because this skill may print them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This script fetches and outputs full W&B run metadata, including config and summary fields, directly to stdout/JSON without any redaction, allowlisting, or warning that these fields may contain secrets, dataset paths, internal URLs, or other sensitive experiment metadata. In an agent skill context, that increases the risk of unintended disclosure because users may invoke it in shared terminals, logs, chat transcripts, or automated pipelines where output is persisted or exposed beyond the intended audience.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal