Back to skill

Security audit

Huly

Security checks across malware telemetry and agentic risk

Overview

This Huly CLI skill is mostly coherent for managing a Huly workspace, but it gives agents broad raw API/RPC and deletion guidance that users should review before installing.

Install only if you are comfortable letting an agent operate your Huly workspace and potentially use raw Huly API/RPC calls. Require the agent to confirm the active workspace, preview destructive changes, get explicit approval for every delete or raw `huly api`/`huly ws` mutation, and avoid using broad escape hatches unless the normal CLI command cannot do the task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs use of generic escape hatches (`huly ws` / `huly api`) when the normal CLI surface is insufficient. That expands agent capability from a bounded, documented command set to effectively arbitrary backend operations, which can bypass safer command-specific validation and increase the chance of overbroad or unsafe actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill authorizes arbitrary raw RPC method invocation against Huly internals and even shows direct object-creation examples. This gives an agent a near-unbounded control plane over the backend, potentially bypassing higher-level safety checks, expected workflows, and command restrictions, enabling unintended mutation or sensitive data access.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill permits arbitrary REST API requests to Huly endpoints via `huly api`, including POST with attacker-controlled bodies. In an agent setting, this broadens the skill beyond the advertised CLI surface and can enable unauthorized state changes, access to unintended endpoints, or bypass of safer abstractions and review points.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- `workspace delete` (and `--force` if deleting the active workspace)
- Any `<resource> delete <ref...>` with ≥2 refs

Single-ref deletes proceed without confirmation. `dm create --person`, `dm send --person`, and `action unschedule --slot-id <single>` are non-destructive in the sense that they don't prompt.

---
Confidence
83% confidence
Finding
without confirmation

YARA rule 'agent_skill_destructive_autonomous_actions': Autonomous destructive filesystem, shell history, or repository actions in AI agent skills [agent_skills]

High
Category
YARA Match
Content
```bash
rm -f ~/.config/huly/credentials.json \
      ~/.config/huly/active-workspace \
      ~/.config/huly/active-account
unset HULY_TOKEN HULY_EMAIL HULY_PASSWORD HULY_WORKSPACE
```
Confidence
80% confidence
Finding
rm -f ~/; without confirmation; silently; silently; silently

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.