Agent Hush

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local privacy scanner, but its silent automatic workspace scans and optional file-changing features should be reviewed before installation.

Install only if you are comfortable with an agent automatically scanning local workspace files before push, publish, share, or sync actions. Ask the agent to announce scans, limit scans to the files being sent, review diffs before any fix command, and check .sanitize.json allowlist entries so future warnings are not suppressed too broadly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes local Python scripts that can read files, write files, inspect environment-derived paths, and execute through the shell, yet it declares no permissions or user-visible capability boundaries. This makes the skill's actual access much broader than its manifest suggests and prevents informed consent or policy enforcement around sensitive workspace operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a silent outbound privacy check, but the documented behavior includes modifying files in place, exporting copies, managing allowlists/configuration, and scanning arbitrary directories. That mismatch can cause users and orchestrators to grant trust for a limited defensive function while the skill actually performs broader and potentially destructive actions on local content.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The header claims local files stay untouched, but the same tool includes commands that rewrite files in place (`fix`) and create backup directories. That mismatch can mislead users and agents into granting broader trust than warranted, increasing the chance of unintended destructive changes in sensitive workspaces.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The tool advertises that local files remain untouched while exposing an in-place `fix` command that modifies content and stores backups. In a privacy-focused skill, deceptive safety claims are especially risky because users may trust it in high-sensitivity repositories and trigger unwanted mutation.

Vague Triggers

High

Confidence: 94% confidence
Finding: Triggering on 'ANY outbound action' is overly broad and ambiguous, so the skill may activate during many routine requests involving sharing, syncing, or sending content. In a privacy-scanning skill with shell and file access, that ambiguity increases the chance of unexpected inspection of unrelated files or interception of actions the user did not intend to subject to scanning.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Telling the agent to intercept outbound actions automatically and that users should never need to type a command creates hidden activation behavior. That reduces transparency and can lead to scans or enforcement actions without the user's awareness, especially in multilingual or loosely phrased requests.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to scan silently and not mention the scan when clean, which normalizes undisclosed inspection of workspace contents. Hidden scanning of local files is a privacy and trust risk because users are denied notice that their content is being examined before an outbound action proceeds.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The heartbeat feature instructs periodic background scans of the workspace without an upfront warning, meaning the skill may repeatedly inspect local content outside a directly requested action. Continuous or recurring hidden inspection materially increases privacy exposure and the chance of scanning sensitive files unrelated to the current task.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### 🚨 MUST check before these actions: **1. Git push / sync / upload** When the user says anything like: - "帮我推代码" / "同步到 GitHub" / "git push" / "push 一下" - "帮我同步" / "上传代码" / "commit and push"
Confidence: 82% confidence
Finding: Git push / sync / upload** When the user says anything like: - "帮我推代码" / "同步到 GitHub" / "git push" / "push 一下" - "帮我同步" / "上传代码" / "commit and push" → Before executing the push, run: ```bash python3

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal