Security audit

Hfmirror Trending

Security checks across malware telemetry and agentic risk

Overview

This skill transparently fetches public HF-Mirror trending data and writes a local Markdown report, with no evidence of credential access, hidden persistence, exfiltration, or destructive behavior.

Install if you are comfortable letting the agent contact HF-Mirror for public trending data and create a Markdown report file. Use a controlled output path to avoid overwriting files, and treat the generated report as third-party trend data rather than verified security or deployment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger scenarios are broad and overlap with ordinary user requests about Hugging Face trends, which can cause the skill to activate unexpectedly in general conversation. Unintended activation increases the chance of unnecessary network requests and file generation, and may cause the agent to invoke external actions when the user only wanted discussion or analysis.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal