hivo-drop
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates file management by executing local CLI commands through the
hivoutility, includinghivo drop upload,hivo drop download,hivo drop delete,hivo drop list, andhivo drop share. - [DATA_EXFILTRATION]: The skill's primary function is to upload local files to the external Hivo Drop service (hivo.ink). It also requires checking for the presence of a local authentication file,
.hivo/identity.json, which is managed by the vendor's CLI. - [EXTERNAL_DOWNLOADS]: Fetches files from the remote Hivo Drop storage to the local machine or terminal output via the
hivo drop downloadcommand. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes and can display the contents of remote files that could contain malicious instructions.
- Ingestion points: Remote file content is read into the agent's context using the
hivo drop download <path>command (when local save path is omitted). - Boundary markers: None identified; the skill does not specify any delimiters or warnings to ignore instructions found within downloaded file data.
- Capability inventory: The skill has the capability to execute shell commands (
hivoCLI), write to the local filesystem, and read local files. - Sanitization: No validation or sanitization of downloaded content is performed before it is processed or output to the terminal.
Audit Metadata