dnd5e-dm-general

Security checks across malware telemetry and agentic risk

Overview

This D&D dungeon-master skill is mostly coherent, but it gives the agent persistent workspace mutation and self-extending code behavior without enough user control.

Review before installing. Use it only in a dedicated campaign workspace, not a directory with unrelated personal files. Expect it to read module/rule/save files and create or overwrite campaign state files. Disable or remove the automatic generated-code accumulation workflow unless you are prepared to review every new helper function before reuse.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill claims that newly generated code will be automatically converted into reusable functions and accumulated during runtime, which introduces self-modifying behavior unrelated to a normal D&D DM function. Runtime code generation and persistence are dangerous because they can expand capability over time, create unreviewed executable artifacts, and make later behavior unpredictable and hard to audit.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The guide explicitly instructs creating wrapper functions that invoke local Python scripts via subprocess. That gives the skill an operational path to execute local commands and scripts, which is materially broader than pure D&D narration/rules assistance and can be abused if attacker-controlled input reaches the command invocation or if the agent is allowed to run tools autonomously. In this skill context, local script execution is not inherently required for storytelling, so the capability meaningfully increases risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill states that it will automatically create and update save/state files locally, but does not warn users about persistence, retention, or what gameplay/chat-derived data is stored. This can lead to unexpected local data accumulation, privacy issues on shared systems, and inadvertent storage of sensitive user-entered content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Automatically generating plot summaries from conversation history without a privacy warning means the skill may derive and persist condensed records of user interactions without informed consent. Summaries can still contain sensitive personal or behavioral information and may be easier to retain, search, or exfiltrate than raw chat context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide directs the DM to immediately update a workspace file (`filled_content.md`) whenever new content is used, without any user-facing notice or approval boundary. Silent or automatic file modification can surprise users, overwrite expected state, and create persistence the user did not intend. In a game skill, maintaining notes may be reasonable, but automatic writes still need disclosure and consent controls.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This section mandates automatic construction of multiple `MODULE_*` files by parsing module content at startup, again without warning the user that files will be created. Even if intended for convenience, unattended file generation expands the skill from assistant behavior into workspace mutator behavior and can clutter or alter project state unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This section includes concrete patterns for running local commands and Python scripts through subprocess, but provides no safety warning, approval gate, or execution constraints. In an agentic environment, such examples normalize autonomous local execution and may be repurposed to run unintended commands or access local resources, making the skill notably more dangerous than a normal game assistant.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The initialization flow specifies automatic creation of state and index files (`MODULE_INDEX.md`, `MODULE_ARC.md`, `world_state.json`, `srd/scenes_index.json`) without warning or approval. This is a true safety issue because it authorizes persistent workspace mutations as part of normal activation, which can be surprising and harmful in environments where skills should be minimally invasive.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document instructs the agent to search local `saves/` files and consult other local rule repositories as part of normal operation, but it provides no user-facing consent, scoping, or privacy warning. In an agent setting, automatic filesystem enumeration can expose sensitive local data or metadata beyond what the user expected, especially if the working directory contains personal save content or unrelated files.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The startup protocol mandates scanning `saves/` and potentially loading JSON save files at the beginning of each new conversation, again without an explicit privacy notice or opt-in. This creates a persistent pattern of automatic local data access that could reveal sensitive campaign notes, player identifiers, or other content stored in the same environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal