Security audit

yourbro

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed yourbro.ai publishing integration, with expected local page files, token use, and an agent binary, but users should be careful with page visibility and deletion commands.

Install only if you trust yourbro.ai and are comfortable running its local agent binary with YOURBRO_TOKEN. Review page.json before sharing links, avoid making sensitive pages public, and treat delete commands under /data/yourbro/pages/ as permanent unless you have backups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents recursive deletion of a page directory without any warning, confirmation step, or safer alternative. In an agent context, normalizing destructive filesystem operations can lead to accidental data loss, especially if a slug/path is mistyped or derived from user input.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### Delete a page ```bash rm -rf /data/yourbro/pages/hello/ ``` ### List pages
Confidence: 91% confidence
Finding: rm -rf /

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### Delete a page ```bash rm -rf /data/yourbro/pages/hello/ ``` ### List pages
Confidence: 91% confidence
Finding: rm -rf /data/yourbro/pages/hello/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.