Nba Analyst

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent NBA data assistant that uses public NBA data and local report/cache files, with only low-risk scope and dependency hygiene notes.

Before installing, expect the skill to make outbound requests for NBA data and to create local cache/report files when used. Consider pinning dependencies or installing from a locked environment if reproducibility matters, and be aware that generic sports queries may invoke this NBA-specific skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad generic terms such as '比分', '排名', '球队', '球员', and '赛程', which are not uniquely tied to NBA contexts. This can cause the skill to activate for unrelated sports or general conversations, increasing the chance of unintended tool invocation, incorrect data access, or user confusion in multi-skill environments.

Missing User Warnings

Low

Confidence: 70% confidence
Finding: The entrypoint exposes HTML report generation commands without any user-facing notice that report creation may write files or create persistent output. In agent environments, undisclosed filesystem side effects can surprise users, cause unintended artifact creation, or be abused to clutter shared workspaces even if the feature is otherwise legitimate.

Unpinned Dependencies

Low

Category: Supply Chain
Content: nba_api>=1.2.0 pandas>=2.0.0 numpy>=1.24.0 matplotlib>=3.7.0
Confidence: 95% confidence
Finding: nba_api>=1.2.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: nba_api>=1.2.0 pandas>=2.0.0 numpy>=1.24.0 matplotlib>=3.7.0 requests>=2.31.0
Confidence: 95% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: nba_api>=1.2.0 pandas>=2.0.0 numpy>=1.24.0 matplotlib>=3.7.0 requests>=2.31.0
Confidence: 95% confidence
Finding: numpy>=1.24.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: nba_api>=1.2.0 pandas>=2.0.0 numpy>=1.24.0 matplotlib>=3.7.0 requests>=2.31.0
Confidence: 95% confidence
Finding: matplotlib>=3.7.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas>=2.0.0 numpy>=1.24.0 matplotlib>=3.7.0 requests>=2.31.0
Confidence: 95% confidence
Finding: requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 78% confidence
Finding: requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal