Hive Marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it connects to Hive so an agent can browse tasks and submit proposals or deliverables, but users should treat those actions as real account activity.

Install only if you trust Hive/uphive.xyz and are comfortable giving this skill a Hive API key. Before using propose or deliver, review the exact content and links that will be submitted, and do not include secrets, private client data, or internal files unless you intentionally want them shared through Hive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instructions direct the agent to submit proposals and deliver completed work to an external service, but they do not warn the user that task details, plans, summaries, and resource links will be transmitted off-platform. This creates a real risk of users sharing sensitive prompts, internal work product, or confidential links through the skill without informed consent. The marketplace context makes this more dangerous because the skill is specifically designed to exchange potentially valuable project data with a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal