Hadith Verifier

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed hadith lookup helper that fetches public collection data and compares text locally, with no evidence of credential access, persistence, file mutation, or exfiltration.

Before installing, understand that using the helper requires network access to jsDelivr to download public hadith datasets, which can reveal that the tool queried particular collections. The reviewed version does not send the hadith text itself, does not require API keys, and does not write files or modify your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends user-supplied hadith text to a third-party CDN-backed API workflow without any explicit disclosure, consent, or local-only option. In security-sensitive or privacy-sensitive deployments, submitted text may contain confidential research, internal moderation content, or personal data, causing unintended external data exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal