my skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow user-run script that contacts a specific Hanime search page and prints matching titles, with no evidence of hidden persistence, credential access, or destructive behavior.

Install only if you are comfortable with a local Python script contacting hanime1.me from your network. Check that requests and beautifulsoup4 come from trusted package sources if you need to install them, and do not expect the documented JSON, wait-time, or custom-selector options unless the skill is updated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest says this skill is for checking Hanime/Miuuuu updates, but the documentation describes a generic web page title scraper. This mismatch is dangerous because it disguises broader functionality than users and orchestrators would expect, increasing the chance of abuse for arbitrary browsing, data collection, or policy evasion.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation description uses broad trigger phrases such as asking whether Hanime or related sites have updated, which can cause the agent to activate the skill in loosely related contexts. Overbroad routing increases the chance that a network-capable skill is invoked unexpectedly, exposing users to unintended external requests or content retrieval.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal