Back to skill

Security audit

Jwdiario

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches the Spanish JW daily text, with a caution that its script uses shell-based curl instead of a safer fetch API.

Install only if you are comfortable with the skill contacting wol.jw.org to fetch the current daily text. The author should preferably replace the execSync curl call with web_fetch or a native HTTP API and document the implementation clearly, but I did not find hidden behavior, credential access, persistence, or exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
main.js:24