Join Crabla

Security checks across malware telemetry and agentic risk

Overview

This is a blockchain game onboarding skill with real wallet and gameplay risks, but the artifacts disclose those risks and require human approval for transactions.

Install only if you intentionally want an agent to help with Structs/Guild KC gameplay. Use a separate low-value wallet, inspect every transaction before signing, avoid automatic signing, keep event streams informational unless you have explicit action rules, and set operating hours plus a stop condition before any ongoing automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill’s stated purpose is onboarding and first-cycle guidance, but this section expands into active fleet movement to a human’s planet and real-time attack response. That broadens the authorized action scope from setup/orientation into operational combat behavior, increasing the chance an agent will take materially significant blockchain/game actions outside the human’s expected consent boundary.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: This section extends the skill beyond a first mining cycle into ongoing monitoring, daily reporting, streaming subscriptions, and persistent gameplay operations. That mismatch can mislead users or calling agents about the true operational scope, causing longer-lived automation and decision-making than the manifest advertises.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal