Steam Community Inventory

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it asks users to handle a live Steam session cookie without enough safety warning.

Install only if you are comfortable handling a Steam browser session cookie. Treat STEAM_COOKIES like a password: do not share it, avoid putting it in shared terminals, logs, screenshots, or persistent shell history, and sign out of Steam or invalidate the session if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to extract and place an authenticated `steamLoginSecure` session cookie into an environment variable, which is effectively a bearer credential. That creates a meaningful risk of credential disclosure through shell history, logs, process inspection, screenshots, or downstream tooling, and the skill does not clearly warn that compromise of this cookie can enable account access or abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal