WayID Identity Card (alias /way)

Security checks across malware telemetry and agentic risk

Overview

This is a small identity-card shortcut that reads the agent's WayID file and contacts the configured issuer to display verification details.

Before installing, confirm that you want identity and provenance questions to invoke this shortcut. Review your wayid.json issuer and the separate /whoareyou skill, because using /way may contact that issuer with the agent's bare WayID identifier.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description contains a very broad set of natural-language trigger phrases for identity, ownership, provenance, and authenticity questions. This increases the chance the skill is invoked in situations the user did not explicitly intend, which can cause unsolicited external lookups and disclosure of identity-card data or provenance information in response to loosely related prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal