B3ehive

Security checks across malware telemetry and agentic risk

Overview

The skill does not show malware behavior, but its main workflow can present a fixed placeholder winner as an objectively selected best solution.

Install only if you treat this as a prototype or template generator. Do not rely on its automatic winner or generated rationale as objective; review all generated implementations yourself and verify the missing CLI entry point before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The script claims to determine a winner through score analysis, but it unconditionally sets `winner="a"`. This creates a deceptive delivery path where outputs are presented as objectively selected even though no evaluation occurs, undermining integrity and enabling silent favoritism or manipulation of downstream decisions.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The generated attribution, comparison report, and rationale state that competitive evaluation, self-scoring, and objective selection occurred, but the script does not perform those actions. In an agent workflow, this can mislead users, auditors, or automated consumers into trusting an unevaluated artifact as the best or safest result.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal