WayID Identity Card

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed identity-card lookup that reads a WayID DID file, fetches the matching public card, and displays it to the user.

Before installing, understand that asking identity or ownership questions may cause the agent to read its local WayID file and contact the listed WayID issuer to display the certificate. Install the optional @lineagelabs/wayid plugin only if you trust that publisher.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill metadata advertises very broad natural-language triggers such as 'who are you', 'who owns you', and similar provenance questions. Because these phrases commonly appear in ordinary conversation, the skill may activate unintentionally and override normal assistant behavior, causing prompt-routing confusion and unexpected disclosure or network/file access steps when the user did not explicitly invoke the command.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The instruction to trigger on 'slash command or any natural-language variant' lacks clear boundaries and repeats broad identity-related phrases. In context, this increases the chance that unrelated dialogue about identity, ownership, or provenance will invoke the skill, leading to unnecessary reads of local DID files and outbound requests to the configured issuer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal