HiveFound

Security checks across malware telemetry and agentic risk

Overview

HiveFound is a disclosed helper for searching and sharing discoveries with its external API, with privacy considerations but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending research queries and submitted discovery details to HiveFound. Do not submit internal URLs, confidential documents, secrets, regulated data, or private research unless you explicitly want that shared. Use a dedicated API key, keep it out of shared workspace files, and protect or rotate any webhook secret.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description uses broad triggers like finding 'interesting articles, research, news, or resources' and says to use it before hitting the web, which can cause over-invocation during ordinary research. In practice this increases the chance that user queries, browsing interests, or task context are sent to a third-party service without a narrowly scoped reason.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documents submitting discoveries, votes, usage notes, account details, and webhook configuration to an external service, but it does not provide an explicit privacy or data-sharing warning. This is dangerous because user-provided URLs, summaries, notes, identifiers, and account metadata may be transmitted off-platform without meaningful notice or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal