Back to skill

Security audit

pet

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for the pet command snippet manager, with sensitive command execution and GitHub sync features disclosed and aligned with its purpose.

Install this only if you want the agent to use your local pet CLI. Treat snippets as sensitive: review commands before running pet exec, avoid storing passwords or tokens in snippets, and use pet sync only when you intentionally want snippet contents uploaded to GitHub Gist under that account's visibility and access settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation tells users they can sync snippets to a GitHub Gist, but it does not warn that saved snippets may contain sensitive commands, tokens, hostnames, or other operational data that will be transmitted off the local system. In a snippet manager, users often store reusable shell commands that may embed secrets or internal infrastructure details, so omission of this warning can lead to unintended data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.