Wavye

Security checks across malware telemetry and agentic risk

Overview

Wayve appears purpose-built for coaching and planning, but it needs Review because it gives the agent broad persistent access to sensitive personal, business, scheduling, and notification data.

Install only if you are comfortable with Wayve storing long-term personal, business, scheduling, and audit data in your Wayve account. Treat Telegram bot tokens and Slack/Discord webhooks as secrets, use dedicated limited channels where possible, rotate them if exposed, review and delete saved knowledge regularly, and require explicit confirmation before creating automations or deleting planning data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (27)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file explicitly instructs the agent to persist broad categories of sensitive data, including health conditions, family situation, revenue, pricing, and crisis events, far beyond minimally necessary scheduling preferences. This creates unnecessary long-term accumulation of sensitive personal and business information that could be exposed, misused, or repurposed across sessions without strong necessity or clear scoping.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The documentation states that memory is stored server-side and persists across devices, sessions, and clients, which materially expands the privacy and security exposure of collected data. Cross-client persistent storage increases the blast radius of any compromise and should be disclosed and controlled explicitly rather than implied as normal behavior.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document claims sensitive medical, financial, and relationship details should not be saved beyond planning needs, but earlier sections explicitly instruct saving exactly those categories. This contradiction weakens safeguards, invites over-collection by agents, and makes enforcement ambiguous in a high-sensitivity context.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The onboarding flow instructs the agent to collect third-party notification credentials such as Telegram bot tokens and Slack/Discord webhook URLs. Even with a consent prompt and storage claim, this expands the trust boundary significantly: the agent is soliciting secrets that can be abused for message spoofing, data exfiltration, or unauthorized notification delivery if mishandled, logged, or later exposed.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: The skill strongly pushes a 7-day time audit with 30-minute check-ins, which materially increases collection of behavioral and scheduling data beyond what a user may infer from the skill description. Because this cadence can reveal detailed routines, work patterns, and personal habits, the lack of prominent up-front disclosure and consent granularity creates a privacy and informed-consent risk.

Vague Triggers

High

Confidence: 94% confidence
Finding: The skill is configured to activate on very broad natural-language cues such as weekly planning, time audits, business strategy, or generally wanting to get more out of an AI agent. In this skill, activation is not passive: once invoked, it mandates fetching context, retrieving knowledge, checking automations and suggestions, and persisting new data, which can cause unintended access to and storage of user data without clear, explicit intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill repeatedly instructs the agent to retrieve and persist extensive user information, including context, schedule, preferences, knowledge, coaching state, and audit logs, and even says to persist everything learned. There is no equivalent upfront requirement to clearly warn the user about what data will be accessed, what will be stored, and to obtain informed consent before those operations, creating a privacy and over-collection risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs deletion of user activities via `wayve activities delete ID --yes` based on a conversational classification of 'Drop,' but it does not require a clear deletion warning, confirmation step, or recovery path. In an agentic context, this can lead to permanent loss of user data from misunderstanding, prompt ambiguity, or over-eager automation during weekly planning.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill promotes persistent server-side storage of highly sensitive user information but does not present a clear just-in-time warning or explicit consent flow before collection and retention. In a planning/coaching context, users may casually disclose intimate information, making undisclosed persistence especially risky.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions mandate automatic retrieval and conversational reuse of stored personal insights before every planning interaction, without requiring disclosure at time of use. This can surprise users, normalize invisible profiling, and increase the chance that sensitive past information is resurfaced in inappropriate contexts.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger guidance includes broad, everyday phrases like 'big picture review' and 'how am I doing overall,' which can cause the skill to activate in contexts where the user did not clearly intend to invoke a deep life-analysis workflow. In this skill, ambiguous activation is more dangerous because the workflow immediately gathers broad personal analytics and later performs persistent writes, so a mistaken invocation could expose or modify sensitive user data without clear consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to save milestone observations, create suggestions, schedule activities, set recurrence, and persist findings to the knowledge base without first telling the user that their records will be modified. This is dangerous because it enables silent state changes in a system containing personal planning, behavioral, and happiness data, which can create privacy issues, unwanted automations, and long-lived incorrect records.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger conditions for onboarding are broad enough to activate on ordinary phrases like 'set up' or 'getting started,' which can cause the skill to launch sensitive onboarding and data-collection flows without clear user intent. In this context, accidental activation is more dangerous because the workflow quickly progresses into collecting personal context, schedules, and credentials.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The recommendation for check-ins every 30 minutes emphasizes value but does not equally disclose user burden, sensitivity of the resulting activity log, or the practical intrusiveness of that cadence. This creates a manipulative consent pattern where users may agree without understanding that the system will generate highly granular surveillance-like data about their daily life.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide encourages users to configure server-side push notifications through third-party channels like Telegram, Discord, Slack, and email without clearly warning that schedule, reminder, and potentially sensitive life-planning data may be transmitted to external platforms. In a skill centered on personal routines, life pillars, and business strategy, this omission increases privacy risk because users may share highly sensitive personal and operational information without informed consent.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation criteria are very broad and include inferred triggers like 'you detect a strategic blindspot during coaching,' which can cause the framework to activate without clear user intent. In a coaching/productivity skill, this can lead to unsolicited strategic guidance, scope creep, and increased chances of the agent pulling in business-context reasoning when the user wanted a narrower interaction.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to persist timezone, active hours, and time-audit configuration into a knowledge base immediately after setup, but the user-facing flow does not clearly and specifically disclose that these details will be stored persistently outside the immediate audit record. This creates a privacy and consent issue: users may believe they are only configuring notifications, while the system also builds a durable profile that could be reused in later sessions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill mandates that every user check-in be logged to the database via CLI, but the ongoing interaction flow does not remind users at reply time that each short message will be persisted. Because these check-ins can reveal sensitive behavioral patterns, routines, health-related activity, work habits, and personal relationships, silent persistence increases the risk of collecting sensitive personal data without meaningful ongoing notice.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly instructs users to provide outbound notification credentials such as Telegram bot tokens, chat IDs, Slack/Discord webhook URLs, and email addresses, but it gives no warning about secret handling, consent, or the privacy implications of sending personal planning data to third-party channels. In the context of this skill, automations can transmit highly sensitive life-management data, so normalizing credential entry and external delivery without safeguards increases the chance of accidental data exposure or unsafe agent behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This section instructs the agent to ask for and save monthly revenue, client, and business-status information to long-term knowledge without first clearly telling the user that the information will be persisted. Financial and business performance data is sensitive, and silent retention can violate user expectations, create privacy risk, and increase harm if the memory store is later exposed or reused unexpectedly.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill mandates saving a detailed weekly review, emotional ratings, focus areas, coaching observations, recurring blockers, and other personal insights, while explicitly noting that the agent need not announce every save. That combination creates a meaningful privacy vulnerability because highly personal behavioral and emotional data is persisted without clear, upfront, informed consent or granular control.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The 'Save Insights (Mandatory)' section instructs the agent to persist newly shared personal context, preferences, and behavioral patterns into long-term knowledge by default. This creates a data retention and privacy risk because sensitive personal information may be stored without granular consent, minimization, retention limits, or clear boundaries on what should not be saved.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The document directs the agent to maintain persistent memory of personal patterns, preferences, energy data, and coaching observations, stored server-side and reused across sessions. Persistent profiling of sensitive personal context increases harm from unauthorized access, misuse, or overreach, especially when the scope includes intimate lifestyle and wellbeing information.

Ssd 3

High

Confidence: 96% confidence
Finding: The guidance tells the agent to save personal information, frustrations, and recurring blockers from any conversation into long-term memory, which can capture sensitive disclosures outside a clear consent boundary. This broad ingestion rule risks storing intimate or situational data users may not expect to persist.

Ssd 3

High

Confidence: 95% confidence
Finding: The end-of-session checklist operationalizes automatic capture of newly learned personal details, recurring frustrations, and patterns into persistent memory. This encourages systematic profiling and retention without a proportional necessity test or explicit user approval at the moment of capture.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal