ty
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation instructs users to install a package named
tyviauvx ty. While the skill claims this is a Rust-based tool developed by Astral, the actualtypackage on PyPI is a third-party utility from a different author. This misalignment poses a supply chain risk by encouraging the installation of code from an unverified source under false pretenses. - [COMMAND_EXECUTION]: The skill provides numerous CLI commands such as
ty checkandty serverfor the agent to execute. These commands run the logic of the installedtypackage. Since the package's identity is misrepresented, the actual code being executed has not been vetted for the tasks described. - [EXTERNAL_DOWNLOADS]: The use of deceptive metadata, including a fictional future release date (2026) and a fabricated renaming history ('formerly Red-Knot'), is used to manufacture trust. This deception masks the true nature of the dependency being introduced into the user's environment.
Audit Metadata