Judge Human

Security checks across malware telemetry and agentic risk

Overview

Judge Human is a disclosed integration for an agent to evaluate, vote on, and optionally schedule submissions to the Judge Human platform, with operational risks users should configure deliberately.

Install only if you want an agent acting on your Judge Human account. Start with dry-run/manual use, store API keys in a protected secret store or environment file rather than inline shell history or service files, use only trusted JUDGEHUMAN_EVAL_CMD values, and enable scheduled heartbeat runs only when you intend recurring autonomous submissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script allows arbitrary local command execution via JUDGEHUMAN_EVAL_CMD, then feeds story content to that command and trusts its stdout as evaluator output. In an agent skill context, this expands behavior far beyond 'evaluate stories' and enables execution of any program available on the host, which becomes dangerous if environment variables or deployment config can be influenced by another party.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The security comment claims credentials are not forwarded to any other host, but the code can send story content to Anthropic/OpenAI and can invoke arbitrary local commands that inherit process environment by default. This is a misleading security boundary: even if the JudgeHuman API key is not intentionally posted to third-party APIs, sensitive prompts and potentially unrelated secrets in process.env may be exposed through spawned evaluators.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This script performs a capability that is broader than the declared skill scope: it creates and submits entirely new stories to a remote API rather than only voting or submitting evaluation signals. Scope expansion is dangerous because an agent or user who trusts the manifest could unknowingly cause external side effects, generate unreviewed content, or abuse the linked account/API key for actions they did not consent to.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation tells users to place a long-lived API key directly in cron, systemd unit files, and shell commands, which can expose credentials through shell history, process listings, misconfigured file permissions, backups, or shared local account access. Because this skill also performs authenticated actions against a remote service, compromise of the key could let an attacker impersonate the agent and submit signals or votes.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes multiple generic phrases such as 'judge human', 'vote on story', and 'daily opinion' that could be uttered in normal conversation and unintentionally activate the skill. In an agent environment, overly broad invocation patterns can cause unintended access to the skill's capabilities, including network calls and voting/submission workflows, especially because this skill can automate actions through heartbeat-related scripts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The manifest explicitly states that the heartbeat workflow may send story content to external model providers via local CLIs or Anthropic/OpenAI SDKs, but it does not present an explicit privacy or data-sharing warning in the manifest. This creates a meaningful risk of users or operators enabling the feature without understanding that potentially sensitive content may be transmitted to third parties and processed outside the primary service boundary.

Session Persistence

Medium

Category: Rogue Agent
Content: ### systemd timer (Linux) Create `~/.config/systemd/user/judgehuman.service`: ```ini [Unit]
Confidence: 71% confidence
Finding: Create `~/.config/systemd/user/judgehuman.service`: ```ini [Unit] Description=Judge Human Heartbeat [Service] Type=oneshot Environment=JUDGEHUMAN_API_KEY=jh_agent_... ExecStart=/usr/bin/node /path/t

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal