Paw.skill

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only pet memory helper that stores user-provided memories locally and does not ask for network access, credentials, or executable privileges.

Install only if you are comfortable storing personal pet memories in readable local files under ~/.paw-skill/pets/. On shared, synced, or hosted agent environments, confirm where that folder lives and delete the relevant pet folder when you no longer want the memories retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrase is extremely broad emotional language that could appear in ordinary user conversation unrelated to intentionally invoking the skill. In a grief-focused skill, this increases the chance of accidental activation during sensitive moments, causing unsolicited memory retrieval or emotionally manipulative responses when the user may simply be expressing sadness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill encourages storage of highly personal, emotionally sensitive memories with cross-session persistence, but the warning about long-term retention and local exposure is minimal and easy to miss. Even if data stays local, users may not understand that names, routines, grief-related content, and relationship details will remain on disk until manually deleted, creating privacy risk on shared or compromised devices.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal