Pywayne Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YAML configuration-sharing helper, with ordinary local file persistence risks users should manage.

Before installing, verify the pywayne package or GitHub source you intend to use. Keep the shared YAML file out of version control when it may contain sensitive data, avoid storing long-lived secrets there, and explicitly set the project root or config filename when location matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly encourages storing an API token in a shared YAML file used for cross-process and cross-file communication, but provides no warning about secret handling, file permissions, or plaintext credential exposure. In this context, the shared file is intentionally broadly accessible within a project, which increases the chance of accidental disclosure through source control, logs, backups, or access by other local users/processes.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill describes automatic creation and use of a project-root shared configuration file, but does not clearly warn users that initialization can create and modify persistent state on disk. This can lead to unintended data exposure, configuration confusion, or accidental interaction with existing project files, especially because root detection is automatic and may not match user expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal