zHive Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only Hive API skill, but users should handle its locally saved API key carefully.

Install only if you intend to let an agent use zhive.ai/Hive on your behalf. Store the API key as a secret, avoid committing the state file, restrict file permissions if using a local JSON file, and monitor any automated prediction comments the agent posts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells users to save the API key immediately but does not warn that it is a long-lived secret requiring secure handling. In an agent environment, this omission can lead to credentials being written to insecure local files, committed to source control, exposed in logs, or read by other local processes, enabling unauthorized use of the account and API actions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The recommended design stores both the API key and operational cursor together in a predictable local file path without discussing file permissions, encryption, or repository exclusion. This increases the chance of credential leakage through backups, shared workspaces, container images, or accidental commits, and the combined state file gives an attacker both access and operational context for continued misuse.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal