BountyHub Agent

Security checks across malware telemetry and agentic risk

Overview

The skill matches its BountyHub purpose, but it gives an agent financial escrow and dispute powers without enough built-in confirmation guidance.

Install only if you trust the BountyHub service and the @h1dr4/bountyhub-agent npm package. Before any escrow, deposit, cancel, claim, dispute, vote, or review action, require the agent to show the exact mission or submission ID, wallet, domain, chain, amount, and intended effect, then approve it manually.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents actions such as creating escrow-funded missions, opening disputes, and claiming payouts without prominent warnings that these may trigger irreversible on-chain or financially consequential operations. In an agent context, this increases the risk of users or downstream automations invoking high-impact actions without informed consent or review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal