Back to skill

Security audit

LYGO Joy Loop Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is a scoped local helper for LYGO Joy Loop that discloses its local state changes, public snapshot risk, and consent gates.

Install only if you intentionally use the LYGO protocol stack. Before running write or plant commands, confirm LYGO_STACK_ROOT, review the files that will change, and remember that pushing the repo to GitHub Pages may publish the Joy Loop snapshot metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Unsafe Defaults

Medium
Category
Tool Misuse
Content
- Optional **`git_head`** short hash of your repo

It does **not** include API keys, env vars, or user PII by design.  
**If you push the repo to GitHub Pages, this JSON can become world-readable.**  
Agents must **warn the user** before any command that updates the snapshot if a push might follow.

## Declared filesystem scope (least privilege)
Confidence
87% confidence
Finding
world-readable

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.