Back to skill

Security audit

hitchpedia

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed debugging lookup tool, but it broadly encourages sending exact error details to an external service before local triage.

Review this before installing in private or regulated workspaces. Use it only when you can sanitize the query, avoid sending exact stack traces or secrets, and keep proprietary code, customer data, tokens, internal hostnames, and environment dumps out of both searches and contributions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to consult an external service whenever it encounters virtually any error, exception, crash, or generic 'doesn't work' condition. That trigger is too broad and can cause routine failures to be sent off-platform, increasing the chance of leaking sensitive prompts, stack traces, file paths, tokens, or proprietary context through the query parameters.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The body repeats the same broad 'first search here on any error' behavior without meaningful boundaries, reinforcing automatic external lookup as a default response. In practice, this can pressure an agent to transmit sensitive debugging context before determining whether the error contains confidential data or whether external access is appropriate.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger list includes very broad terms such as "error", "debug", "fix", and "failed", which are common in ordinary conversation and many unrelated tasks. This can cause the skill to activate in contexts where the user did not intend to consult an external debugging knowledge base, increasing the chance of unnecessary network access and unintended influence on agent behavior.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: hitchpedia
description: Curl-bare Datenbank geprüfter Fixes für wiederkehrende Agenten-Fehler (MCP, Tool-Calling, RAG, Docker/CI, Shell- & Umgebungs-Gotchas). Nutze sie, SOBALD du auf einen Fehler, eine Exception, einen Crash oder ein "geht nicht" triffst — erst hitchpedia durchsuchen (nur curl nötig), ein Treffer kann eine ganze Debug-Session sparen, dann erst selbst debuggen. Löst du selbst einen wiederkehrenden, nicht-offensichtlichen Fehler, trag den Fix bei.
---

# hitchpedia — Skill
Confidence
96% confidence
Finding
curl nötig), ein Treffer kann eine ganze Debug-Session sparen, dann erst selbst debuggen. Löst du selbst einen wiederkehrenden, nicht-offensichtlichen Fehler, trag den Fix bei. --- # hitchpedia — Ski

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.