hash-verifier

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward hash-verification skill, with minor documentation issues around activation scope and API-key handling.

Install this only if you need hash or checksum verification. Keep HASH_API_KEY in a protected environment or secret manager, do not hardcode it, echo it, or include it in logs, and invoke the skill only for explicit file-integrity or digest-checking tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The 'When to Use' criteria are broad enough that an agent could invoke this skill for loosely related security, validation, or automation requests beyond simple hash verification. Overly permissive routing increases the chance the skill is selected in inappropriate contexts, which can lead to unnecessary access to inputs, outputs, or configured secrets such as the HASH_API_KEY.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to supply a sensitive API key via environment variable but does not warn that the secret must be handled securely and must not be logged, echoed, or included in outputs. In agent-driven environments, missing secret-handling guidance increases the risk of credential exposure through debugging, transcripts, shell history, or misconfigured wrappers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal