HackMD

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps an agent manage HackMD notes, including sensitive write and delete actions that users should supervise.

Install only if you are comfortable giving an agent access to your HackMD account. Protect HMD_API_ACCESS_TOKEN, verify note IDs and team paths before updates or deletes, consider exporting important notes before deletion, and avoid committing ./.hackmd/tracked-notes.json if note metadata is sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents direct create, update, and delete commands against HackMD content without any warning, confirmation guidance, or safety guardrails for destructive operations. In an agent context, this increases the risk of accidental or unauthorized modification or permanent deletion of notes, especially when the API token may cover personal and team workspaces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal