Huozi

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Huozi publishing integration whose public publishing, account setup, API-key use, and page management behavior match its stated purpose.

Install this only if you trust huozi.app with the email address, verification code, API key, and content you choose to publish. Treat HUOZI_API_KEY like a password, avoid publishing secrets or private documents, and confirm the page slug before update or delete requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to publish user-provided Markdown/HTML to a public web service but does not require an explicit warning or confirmation that the content will become publicly accessible and shareable. In an agent setting, users may assume content handling is private by default, so sensitive notes, reports, or internal HTML could be exposed unintentionally.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documented delete capability enables destructive operations without instructing the agent to warn the user, confirm intent, or explain reversibility. In conversational workflows, ambiguous requests or accidental invocation could cause unwanted page deletion and content loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal