Structs Streaming

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Structs game-event streaming skill with disclosed but important risks around plaintext WebSocket monitoring and optional wallet automation.

Install only if you intend to monitor Structs GRASS events. Keep wildcard subscriptions brief, avoid retaining broad third-party event traffic, treat ws:// event data as unencrypted and potentially tamperable, and use dedicated low-permission signer keys with explicit approval gates for any spending or consequential game actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs users to connect to `ws://` endpoints and even says not to rewrite them to `wss://`, but it does not warn that plaintext WebSocket traffic lacks transport confidentiality and integrity. An on-path attacker could observe event traffic, inject or tamper with messages, or mislead automation built on these events, which is especially concerning because the skill encourages event-driven defensive and transactional reactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal