World Cup 2026 API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only football data API skill with disclosed external API-key use and no executable or hidden local behavior.

Install only if you trust the 26worldcup.cn API provider. Use a scoped or disposable API key where possible, monitor quota or billing, and avoid sharing unrelated secrets when making the documented requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The read_when entries are broad functional prompts such as querying live scores or schedules, without clear scoping or boundaries on when the skill should activate. This can cause the agent to invoke the skill in overly general sports-related contexts, increasing the chance of unnecessary external API calls, unintended data sharing in requests, or workflow hijacking by a less relevant skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal