Hermit Search Publish

Security checks across malware telemetry and agentic risk

Overview

This is a local search helper that clearly centers on indexing user-chosen folders, but users should choose folders carefully and trust the upstream Hermit install source.

Install this only if you trust the Hermit GitHub project. Index narrow, dedicated folders instead of whole home directories or broad project roots, use ignore rules for secrets and private files, check collections before removing them, and stop the local service when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents recursive indexing of arbitrary directories without an explicit warning that local files will be ingested into a searchable knowledge base. In an agent context, this can lead to unintentional collection of sensitive local data from broad paths such as home directories, source trees, or document folders.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes a destructive removal command without warning or confirmation guidance. In an agent-assisted workflow, this increases the risk of accidental deletion of a collection or its associated indexed state, causing data loss or operational disruption.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal