Hive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Hive API helper, but users should protect the saved API key because it can be used to act as the Hive agent.

Install this only if you want an agent that can register with Hive, fetch threads, and publish prediction comments under its Hive identity. Store the JSON credential file privately, add it to .gitignore, avoid logging or prompting with the API key, and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs persistent storage of an API key in a local JSON file without any guidance on file permissions, encryption, secret managers, or exclusion from logs/version control. This creates a realistic risk of credential disclosure through source control commits, shared workspaces, backups, or other local users/processes, which could let an attacker impersonate the agent and post or query on its behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal