game-market

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YY game marketplace browser that queries listings and only hands off buying or selling to the website.

Install only if you are comfortable with your agent querying YY marketplace listings and sending selected game/category search context to YY. Be aware that broad trigger words may invoke it during ordinary game-trading discussion, and complete any login, purchase, sale, or payment manually on the YY website after checking the item and URL yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger examples include very generic commerce phrases like 'buy account', 'sell account', and game-item terms that can easily appear in ordinary conversation. In an agent environment, this can cause unintended invocation of the skill and lead to surprising actions such as querying a third-party marketplace or prompting to open external links, especially because the skill is designed to react to purchase intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger 'game account' is broad enough to activate during ordinary discussion about accounts, rather than explicit intent to search a trading marketplace. Because this skill can fetch listings and later prompt browser opening to a third-party market, overbroad activation increases the risk of unintended invocation and steering users toward account trading content they did not request.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The standalone trigger 'boosting' is highly ambiguous and common in gaming conversation, so it may fire on discussions unrelated to this marketplace. In this skill's context, accidental activation can expose marketplace results and facilitate access to potentially policy-sensitive boosting services without clear user intent.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The standalone trigger 'coaching' is generic and likely to appear in normal gameplay or advice conversations. Since the skill transitions from chat results to opening a trading site, this broad trigger can cause unintended marketplace redirection and confusion about whether the user wanted listings versus general help.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The phrase 'game items' is too general and may match ordinary discussions about inventory, gear, or drops rather than marketplace searches. In this skill, that can lead to unsolicited listing queries and subsequent encouragement to visit an external trading marketplace.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The Chinese trigger '游戏交易' broadly covers general game-trading discussion and does not necessarily indicate intent to use this specific YY marketplace skill. Because the skill can present listings and move users toward browser-based transactions, this ambiguity raises the chance of unintended activation and undesired redirection.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The Chinese term '代练' is short, common, and context-dependent, so it can appear in casual conversation without indicating intent to browse a marketplace. Given that the skill can surface boosting listings and guide the user to an external site, the broad trigger meaningfully increases unintended activation risk.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The Chinese term '陪练' is also generic and may describe discussion about coaching or practice partners rather than a shopping request. In the context of a marketplace skill, accidental activation can direct users into commercial listing flows they did not intend to access.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The Chinese noun '道具' is broadly used in normal gaming conversations about items, equipment, or consumables, not just marketplace activity. In this skill, such generic matching can trigger unnecessary listing lookups and promote an external trading marketplace absent clear user intent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The activation guidance explicitly instructs the skill to trigger on generic keyword mentions and game names, creating broad and ambiguous invocation boundaries. This is more dangerous in context because the skill fetches third-party marketplace data and can proceed to opening mall.yy.com, so false activations can steer users toward account trading, boosting, or item-trading content unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal