pywencai

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PyWenCai market-data helper, but users should treat the required Wencai cookie like a password and pin dependencies for safer installs.

Install this in an isolated Python environment, pin reviewed dependency versions where possible, and keep the Wencai cookie private. Do not hardcode real cookies in shared notebooks or repositories, avoid printing them in logs, and rotate the Wencai session if the cookie may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to extract a live website Cookie and pass it directly into code or an environment variable, but provides no warning that this value is an authentication credential equivalent to a session token. In an agent or shared execution context, this can lead to accidental credential exposure through logs, prompts, code samples, screenshots, shell history, or repository commits, enabling account/session hijacking.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pywencai>=0.10.0 pandas>=1.5.0
Confidence: 93% confidence
Finding: pywencai>=0.10.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pywencai>=0.10.0 pandas>=1.5.0
Confidence: 95% confidence
Finding: pandas>=1.5.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal