Pywayne Cross Comm

Security checks across malware telemetry and agentic risk

Overview

This is a coherent communication and file-transfer skill, but users should treat its cloud storage credentials and network file sharing as sensitive.

Before installing, verify the external pywayne package source, bind the server to localhost or a trusted interface when possible, use dedicated least-privilege OSS credentials, avoid sending broad or sensitive folders, and only enable auto-download for trusted senders and safe destination directories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly promotes automatic file upload to Aliyun OSS and optional automatic download of received files, but it does not warn users about privacy, data retention, credential exposure risk, or the trust boundary of remote senders. In a cross-device messaging skill, this can lead to unintended exfiltration of sensitive local files or downloading untrusted content to disk without adequate user awareness or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal