lol-analyst

Security checks across malware telemetry and agentic risk

Overview

This is a coherent League of Legends stats tool that uses a Riot API key as expected, with a local plaintext config file risk users should understand.

Install if you are comfortable giving the skill a Riot Games API key and letting it save HTML or JSON reports locally. Prefer setting RIOT_API_KEY as an environment variable; if you use --setup, know that the key is stored in plaintext at ~/.lol-analyst/config.json and should be removed or rotated if the machine is shared or compromised.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no explicit permissions even though its specification clearly relies on environment-variable access and reading/writing local files to configure the API key and emit HTML reports. This mismatch weakens platform enforcement and user awareness, making it easier for the skill to access sensitive data or create files without transparent consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code persists the Riot API key in a plaintext JSON file under the user's home directory. While this is common in simple tools, it creates credential exposure risk if local file permissions are weak, the host is shared, backups are accessible, or malware/user confusion leads to disclosure; there is also no visible warning or safer storage fallback.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal