WrynAI Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WrynAI web-crawling helper with expected third-party API use and a minor local screenshot-file overwrite risk.

Install only if you are comfortable using WrynAI as an external provider. Avoid crawling private, internal, or regulated pages unless approved, use a revocable API key, verify the wrynai package source, and be aware that the screenshot example writes screenshot.png in the working directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends user-supplied URLs, search queries, and extracted page content to a third-party service without an explicit user-facing disclosure about external transmission or privacy implications. In an agent setting, this can cause unintended sharing of sensitive internal URLs, proprietary content, or research targets with an external provider.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The screenshot example writes to a fixed local filename (`screenshot.png`) without warning the user that running it will create or overwrite a file on disk. In an automation or agent context, undisclosed filesystem side effects can cause accidental data loss, confusion, or misuse of local storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal