Security audit

Minecraft Custom Mod Builder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote Minecraft mod-building skill with paid hosted actions and file uploads, but no hidden local execution, persistence, or credential harvesting was found.

Install only if you are comfortable using AgentPMT-hosted services. Confirm before spending credits, avoid uploading sensitive or third-party artwork unless you have rights to use it, and inspect generated .jar, .mcaddon, .mcpack, or source artifacts before installing them into Minecraft.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation keywords are broad enough to trigger this skill for ordinary Minecraft requests, not just explicit requests to use the hosted AgentPMT mod builder. That can cause unintended remote tool use, unnecessary paid actions, and unexpected transmission of user content to an external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages uploading user artwork and generating downloadable artifacts through a hosted remote service, but it does not prominently require a user-facing notice that images, specs, and generated outputs leave the local environment. This creates a privacy and consent risk, especially when users may believe they are interacting with a local capability.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal