hono

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Hono reference skill with a couple of misleading security-related examples, but no hidden execution, data access, or persistence.

Safe to install as a reference skill, but review and test any copied authentication or authorization snippets before using them in production; treat the flagged routing sections as notes to verify against official Hono behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This is a true documentation vulnerability because the example incorrectly states that `/api/public` skips `app.use('/api/*', authenticate())`, when that middleware pattern would also match `/api/public`. Developers following this guidance may unintentionally expose or misconfigure authentication boundaries, leading to broken access control or routes behaving opposite to expectations.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: This is a true issue because the text describes the third argument as metadata or a pre-handler, but the code demonstrates executable handler behavior that can return a response. That mismatch can mislead developers into placing security checks or policy annotations in a position that executes differently than expected, causing authorization logic errors or accidental route blocking.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal