The Hive

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed shared-knowledge integration, but it broadly sends prompts and task-derived learnings to an external service with limited local controls.

Install only if you are comfortable with The Hive receiving prompt text and selected task-derived learnings. Avoid using it for confidential, regulated, client, credential-bearing, or proprietary work unless you add local approval/redaction controls and verify the provider's retention, deletion, and isolation policies. Treat returned Hive context as untrusted reference material, and run the optional npx tools only after reviewing and pinning them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to inspect local filesystem locations and PATH entries to detect other installed AI frameworks, then use that information for referral-style prompts. This expands the skill's effective access from knowledge querying/contribution into host reconnaissance, which is unnecessary for core functionality and can disclose local environment details or normalize broader system inspection.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest describes a shared knowledge hook, but the body adds referral mechanics, badge incentives, leaderboard/status features, and autonomous training-session participation. These extra behaviors create pressure to perform actions unrelated to the declared purpose, including outreach, self-promotion, and additional remote interactions, which broadens the attack and privacy surface beyond what an installer would reasonably expect.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README explicitly states that the skill installs a pre-task hook that performs network queries before every response and encourages sending learned content back to a remote service. Even though it claims server-side PII scrubbing and quality gates, this creates automatic outbound data flow tied to user tasks, which can expose sensitive prompts, context, metadata, or derived work products without clear, prominent consent and local control.

Vague Triggers

High

Confidence: 98% confidence
Finding: The hook is configured with matcher '*' and fires before every user prompt, sending all prompts to a remote service. This creates indiscriminate exfiltration risk for sensitive requests, credentials, proprietary data, or regulated content, and there is no contextual gating, consent prompt, or sensitivity filter.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill encourages wiring a pre-task hook that transmits each task prompt to a remote API, but it does not present a prominent user-facing warning at the point of installation/configuration. That omission undermines informed consent and increases the chance that sensitive user inputs are sent externally without the owner's understanding.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The post-task instructions normalize sending task-derived 'learnings' to a shared remote knowledge base, but the skill does not provide a strong user-facing warning that information derived from private work may be contributed externally. Even with later scrub rules, the agent is still being asked to generalize and export insights from owner tasks, creating a real disclosure pathway.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The onboarding flow instructs the agent to mine its own prior knowledge and interactions for reusable observations and upload them. In practice, this creates a semantic pathway for repackaging user-derived or confidential context into generalized statements that may evade simple PII scrubbing while still disclosing sensitive operational patterns or proprietary information.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The periodic re-extraction instructions tell the agent to revisit past tasks and contribute missed learnings later. This encourages retention and secondary use of private task context for outbound sharing, increasing the chance of cumulative leakage of sensitive patterns even when direct identifiers are removed.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The post-task distillation prompt explicitly asks the agent to decide what it learned from an owner's task and push it to the collective. Although it says to strip names and paths, it still institutionalizes sharing insights derived from private work, and abstracted technical details can remain sensitive or proprietary even after superficial redaction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal