Hashmob Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent HashMob API helper, but it under-scopes destructive and account-changing examples that could affect user data or account state.

Install only if you are comfortable giving an agent access to HashMob account actions. Use a dedicated low-value HashMob account, do not expose your main API key, and require explicit confirmation before deletes, paid searches, purchases, withdrawals, notification changes, or any account mutation.

Publisher note

This skill interfaces with the Hashmob API. Before giving an AI agent access, understand what it can and can't do. No API key needed Several endpoints are unauthenticated and publicly accessible: listing hashlists, downloading left/found files, viewing leaderboards, and browsing resources. If you only want the agent to interact with public data, you can use this skill without providing any credentials. With an API key Setting HASHMOB_API_KEY in your environment gives the agent access to your Hashmob account. This includes submitting found hashes, managing your hashlists, searching for hashes (which costs account balance), making purchases from the store, and withdrawing Gold. Treat this key the same as a password. Recommendation If you want the agent to have full account access, use a dedicated dummy account rather than your main Hashmob account. That way the agent's actions are isolated; a mistake won't affect your reputation, balance, or submission history on your primary account.

SkillSpector (4)

By NVIDIA

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill documents destructive hashlist deletion endpoints as requiring no API key, which would enable unauthenticated deletion if followed as written or if the backing API actually behaves that way. In an agent setting, this is especially dangerous because the documentation normalizes a destructive action without emphasizing authorization checks or human approval, increasing the chance of misuse or data loss.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The notifications section claims account-scoped read and state-changing endpoints work without an API key, contradicting the earlier security model that ties account access to the API key. If accurate, this permits unauthorized access to notifications and unauthenticated state changes; if inaccurate, it still misleads agents into attempting unsafe or privacy-impacting operations without proper consent controls.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Even aside from whether the API enforces auth, the skill presents unauthenticated deletion commands without a prominent endpoint-specific warning. In an agent workflow, omission of such a warning lowers operator friction for destructive actions and can lead to accidental or unauthorized deletion attempts against user or public data.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill shows an endpoint that marks unread notifications as read without any endpoint-local warning, despite this being a user-state-changing action. In agent contexts, undocumented state mutation can cause silent account changes, audit confusion, and privacy issues even if the backend later rejects unauthenticated calls.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal