HiveFence

Security checks across malware telemetry and agentic risk

Overview

Hivefence appears to be a security-oriented skill, but it automatically reports derived threat data to a third-party service and relies on an external npm package whose behavior is not visible in the supplied artifacts.

Review this before installing if your prompts may contain private, regulated, or proprietary information. Install only if you are comfortable with automatic third-party reporting, or after the publisher documents exactly what is sent, how to disable reporting, and what the npm package does.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation states that new attack patterns are hashed and submitted to a network automatically, but it does not clearly warn users about outbound data sharing, when it occurs, what metadata is included, or how to disable it. Even if only hashes are transmitted, automatic reporting can leak sensitive prompt-derived information, create compliance/privacy issues, and expand the trust boundary to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal