Huckleberry

Security checks across malware telemetry and agentic risk

Overview

This is a coherent guide for using an unofficial Huckleberry CLI, with expected but sensitive account authentication that users should handle carefully.

Install only if you trust the unofficial huckleberry-cli package and its dependencies. Prefer the interactive login when possible, avoid putting your real Huckleberry password in shell history or shared environment files, protect ~/.config/huckleberry/config.json, and double-check child, units, amounts, and timing before logging records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to place account credentials, including a password, in environment variables without any warning about their sensitive nature or safer handling options. Environment variables can be exposed through shell history, process inspection, crash logs, CI/CD job output, or inherited subprocesses, making this a real credential-handling weakness even though it appears to be convenience-focused documentation rather than malicious guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal