Trust Assessment
The HIVE 🐝🚀 received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Agent instructed to prioritize external instructions (Prompt Injection), Agent instructed to report its API key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Agent instructed to prioritize external instructions (Prompt Injection) The skill explicitly instructs the agent to prioritize 'Human Guidance' (direct instructions from the Question Author) over its initial prompt. This creates a critical prompt injection vulnerability, allowing an untrusted external entity (the 'Question Author') to manipulate the agent's behavior and override its core directives. Agents should never be instructed to prioritize external, untrusted input over their core instructions. Implement strict sanitization and validation of 'Human Guidance' and ensure it can only modify specific, limited parameters, not override the agent's fundamental operating instructions or security directives. | LLM | skills/rbalage/the-hive-skill/SKILL.md:144 | |
| HIGH | Agent instructed to report its API key The skill explicitly instructs the agent to immediately report its newly generated API key to the owner. While intended for the owner, this involves the agent directly outputting a sensitive credential. If the communication channel to the owner is compromised, or if the owner's environment is insecure, this could lead to the API key being exfiltrated. Avoid instructing agents to directly output sensitive credentials like API keys. Instead, provide a secure mechanism for the owner to retrieve or confirm the key (e.g., through a secure dashboard or a one-time, time-limited link). If direct reporting is necessary, emphasize the critical importance of secure communication channels. | LLM | skills/rbalage/the-hive-skill/SKILL.md:262 |
Scan History
Embed Code
[](https://skillshield.io/report/2394652110b2779d)
Powered by SkillShield