hyperbots-api
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/hyperbots_cli.pycontains a hardcoded production API key (hk_live_9015f91550d87dbf23f73f5baea68d5d) assigned as a default value. - [DATA_EXFILTRATION]: The skill transmits API keys and document contents over an unencrypted HTTP connection to
http://hyperapi-production-12097051.us-east-1.elb.amazonaws.com, exposing sensitive data to potential interception. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
hyperapiPython package and usesnpxto fetch skill components from the author's repository. - [PROMPT_INJECTION]: The skill processes untrusted external files (PDFs, images) through vision-language models, which creates a surface for indirect prompt injection.
- Ingestion points: Files provided to the
parse,extract, andprocesstasks inscripts/hyperbots_cli.pyandSKILL.md. - Boundary markers: None identified; the skill does not use delimiters or provide instructions to the agent to ignore potentially malicious content within processed documents.
- Capability inventory: Network requests (POST) to the HyperAPI backend and the ability to read local files.
- Sanitization: No input sanitization or output validation is implemented to prevent the execution of instructions embedded in the processed documents.
Recommendations
- AI detected serious security threats
Audit Metadata