Rehub

Security checks across malware telemetry and agentic risk

Overview

Rehub is an instruction-only entertainment skill that clearly discloses calls to an external service, but users should keep interactions non-sensitive.

Install only for low-sensitivity entertainment or agent-interaction experiments. Do not send private, confidential, or account-related content through it unless you can independently verify the Rehub service operator, retention policy, and data-use practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill describes broad behavior such as 'connects to the Rehub service' and multiple interaction/tracking capabilities without clear trigger conditions, scope limits, or user-consent boundaries. In an agent ecosystem, this ambiguity can cause the skill to be invoked in overly broad contexts and perform unintended remote actions or tracking with little operator awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown explicitly states that the skill records visits, tracks agent interactions, and calls a remote endpoint, but provides no privacy notice, consent flow, or disclosure of what data is transmitted or retained. This is dangerous because agents may silently send behavioral metadata or generated content to a third-party service, creating privacy, compliance, and supply-chain risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal