Back to skill

Security audit

flutter-hive-database

Security checks across malware telemetry and agentic risk

Overview

This Flutter Hive code-generation skill is mostly legitimate, but it needs review because its file-writing generator is under-scoped and can be triggered too broadly.

Install only if you intend to generate Flutter Hive boilerplate in a version-controlled project. Review the planned files and diffs before running the generator, and do not pass untrusted raw JSON as the entity definition until the publisher validates entity names and fields more strictly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The top-level description activates on very broad terms such as local persistence, offline cache, or any mention of hive/database persistence, which can cause the skill to trigger in unrelated contexts. Overbroad activation increases the chance that code-generation and file-modifying behavior is invoked when the user only wanted advice, potentially leading to unintended project changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Mode 1 uses generic trigger phrases like '创建数据服务', '初始化 Hive', and '配置 Hive', which are common setup requests and not specific enough to distinguish this skill from ordinary Q&A or manual guidance. In an agent environment, ambiguous triggers can route benign requests into an automated file-writing workflow without sufficient user intent validation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Mode 3 includes a trigger phrase equivalent to providing JSON to create a database template, which is broad enough to catch generic schema or serialization requests unrelated to Hive code generation. Because this mode can create and update repository/model files automatically, accidental activation can produce unintended source-code modifications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.