Hash Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a local hashing utility with no evidence of hidden access, persistence, network use, or destructive behavior.

Safe to install for basic local hashing and deduplication. Use SHA-256 or stronger for integrity checks, avoid MD5/SHA-1 for security decisions, and do not rely on the provided perceptual-hash function for image similarity, near-duplicate detection, or trust decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The function is labeled as a perceptual hash for images/content similarity, but it only lowercases and whitespace-normalizes text before truncating a SHA256 digest. This can mislead callers into believing they are using a similarity-preserving perceptual hash, causing false deduplication or trust decisions when comparing images or near-duplicate content, which is especially risky in a hashing toolkit intended for verification workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal