hookpipe

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent setup guide for a webhook CLI, with expected but sensitive handling of webhook secrets and queued event delivery.

Install only if you trust the hookpipe CLI source and are comfortable routing selected webhook events through its queue. Treat real webhook signing secrets and hookpipe tokens as credentials: avoid exposing them in shared terminals, logs, screenshots, commits, or chat, and use narrow event filters and remove unused connections.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes commands showing secrets and API tokens directly on the command line (for example, webhook signing secrets and an hf_sk_xxx token) without warning users about shell history, screenshots, logs, or persisting sensitive values in CLI config. In this context, the risk is heightened because the skill is specifically about handling inbound webhook trust boundaries, so normalizing casual secret handling can lead to credential leakage and unauthorized webhook injection or service misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal