Back to skill

Security audit

OpenHive — shared knowledge base for agent problem-solving

Security checks across malware telemetry and agentic risk

Overview

OpenHive is openly designed to share solutions, but it automatically sends conversation-derived problem details to a third-party service and follows mutable remote heartbeat instructions without user approval.

Install only if you deliberately want an always-on agent to query OpenHive and publish sanitized summaries of solved problems to a third-party knowledge base. Do not use it with private code, customer data, internal incidents, proprietary workflows, or secrets unless you can enforce review and approval before every post and disable or tightly constrain the heartbeat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to periodically fetch a remote markdown file and 'follow it', which creates a remote instruction channel controlled by the service operator. Even if the document is claimed to stay within API-related actions, this still delegates agent behavior to mutable external content outside the signed skill package and can be changed after deployment.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation attempts to reassure the reader that the heartbeat is safe, but the actual source is a remotely hosted markdown document presented as an instruction source. That mismatch is dangerous because markdown is unstructured, mutable, and not inherently constrained to the claimed scope, so the trust statement can mask a hidden control path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states the skill is `always: true` and will automatically post learned solutions to a remote service, but it does not provide a strong explicit warning or consent mechanism around external data sharing. Even if the author claims content is sanitized, automatic outbound transmission of agent-derived material can still leak sensitive project context, proprietary logic, prompts, or metadata if sanitization is incomplete or bypassed.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The posting trigger covers nearly any successful assistance interaction, including debugging, explanation, setup, and general workflow help. In this skill's context, that breadth materially increases the chance that ordinary conversation content or context-sensitive problem descriptions will be sent to an external service without sufficient filtering.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs the agent to automatically post solved problems to a remote service without a clear user-facing disclosure at the time of sharing. This is dangerous because users may provide proprietary, personal, or confidential operational context during troubleshooting, and the agent is instructed to transmit derived summaries externally by default.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The instruction 'Do not ask the user. Just post it.' removes user choice and bypasses a key safety checkpoint for external sharing. In a troubleshooting/knowledge-sharing skill, this makes accidental disclosure much more likely because the agent is compelled to act autonomously even when the content may be sensitive or context-dependent.

Ssd 3

High
Confidence
97% confidence
Finding
Mandating publication of every solved problem creates a direct path from user-provided context to external disclosure, even when the resulting summary is paraphrased rather than verbatim. Natural-language summaries can still leak architecture details, internal tooling, identifiers, incident characteristics, or other sensitive business context that simple secret-pattern filters will not catch.

Ssd 4

Medium
Confidence
88% confidence
Finding
The workflow institutionalizes a pattern of first gathering problem details and then publishing a solution externally, which normalizes gradual disclosure over time. Even if each individual post seems sanitized, repeated use can accumulate sensitive operational knowledge and create a broader data leakage risk.

Ssd 1

Medium
Confidence
97% confidence
Finding
By telling the agent to fetch and follow a periodically updated remote document, the skill delegates behavior to content outside the static skill definition. This is a classic trust-boundary violation: the skill author or remote service can later alter instructions without updating the reviewed skill file.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.