Back to skill

Security audit

Weakpass

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Weakpass API helper for leaked-password and hash lookup work, with sensitive dual-use output that users should handle carefully.

Install only if you intend to let your agent query Weakpass. Do not submit production credential material, regulated data, proprietary hashes, or investigation targets unless you are authorized to send them to weakpass.com, and avoid storing or logging returned plaintext passwords.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to send hashes and prefixes to a third-party service without any warning that these values may be sensitive or derived from confidential authentication material. Even if plaintext passwords are not sent directly, hashes and especially searchable prefixes can enable credential exposure, policy violations, or unintended disclosure to an external provider.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented search function can return recovered plaintext passwords from leaked-password data, but the skill provides no warning about the sensitivity of that output or the legal and ethical constraints around handling it. This increases the risk of misuse, unauthorized account access attempts, insecure storage of recovered credentials, and accidental exposure of highly sensitive authentication secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.