Back to skill

Security audit

HackMD

Security checks across malware telemetry and agentic risk

Overview

This skill clearly provides HackMD note management and change tracking, with sensitive write/delete powers that users should supervise.

Install only if you are comfortable giving an agent access to your HackMD account. Protect HMD_API_ACCESS_TOKEN, verify note IDs and team paths before updates or deletes, export important notes before deletion, and avoid committing ./.hackmd/tracked-notes.json if note metadata is private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents irreversible deletion commands for personal and team notes without any confirmation guidance, backup recommendation, or warning about scope. In an agent context, exposing destructive commands as normal examples increases the chance of accidental or unauthorized data loss, especially when the API token may cover many notes or team workspaces.

Session Persistence

Medium
Category
Rogue Agent
Content
}
}

// Save state to file
function saveState(state) {
    ensureStateDir();
    fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
Confidence
80% confidence
Finding
Save state to file

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.