Hume

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Hume integration that uses Membrane to connect to Hume, with no evidence of hidden or malicious behavior.

Install this only if you intend to connect a Hume account through Membrane. Review the Membrane CLI package source or pin a trusted version if your environment requires stricter supply-chain control, and require confirmation before sending sensitive text, audio, video, files, or before running create, update, patch, delete, or bulk proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents raw proxying of requests to the external Hume API but does not instruct the agent to obtain user confirmation or warn that prompts, files, or other sensitive data may be transmitted to a third-party service. In an agent setting, this increases the risk of inadvertent exfiltration of sensitive user data to an external system under the guise of normal tool usage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal