Back to skill

Security audit

Fs Worldcup Knockout

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for propSPACE play-money trading, but it needs review because it can change account positions, uses a shared default password, and stores login tokens locally in plaintext.

Install only if you are comfortable with a skill that authenticates to FunctionSpace, can place play-money competition trades when run with --live, and writes an auth token to disk. Set a unique FS_PASSWORD, avoid using the documented default, protect or remove the .auth token file after use, and treat BRAVE_API_KEY and any GitHub token as secrets. Review dry-run output before any live run, especially before combining --live with --all-markets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities that include environment access, file read/write, and network use but does not declare permissions explicitly. That weakens least-privilege controls and user visibility, increasing the risk that sensitive environment variables, local files, or remote endpoints are accessed without clear consent or policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially understates what the skill does: it performs account creation/login, token persistence, web scraping for sentiment, local cache updates, and market/account inspection beyond the stated trading strategy. This mismatch prevents informed review and can hide risky data handling or mutating actions, making it easier for operators to run a skill with broader access and side effects than expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The handoff claims an evidence-backed Gaussian trading strategy, but the documented fallback says the skill may trade directly off FunctionSpace expected points/line when enrichment data is missing. That creates a material integrity and transparency issue: users or downstream agents may believe trades are supported by independent evidence when the system is effectively mirroring platform-provided inputs, increasing the risk of unjustified automated trading decisions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script explicitly adds web-derived sentiment into player_data.json and states that the main trader uses that sentiment to shift expected-score lines by up to ±15%. This materially changes trading behavior based on an unverified external signal that is not part of the core xG/xA/passing evidence model, increasing manipulation and model-drift risk in a financial/trading context.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code performs live Brave web searches for each player and converts article titles/snippets into a sentiment score that feeds trading decisions. In this skill context, that creates an unnecessary external influence channel where noisy, SEO-driven, or adversarial content can bias an automated market strategy.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs the operator to run `python3 main.py --live` and expects successful `BOUGHT` executions, but it does not present a clear, explicit warning immediately before execution that this step places real trades and changes account positions and balance. In a trading skill, that omission materially increases the risk of unintended financial/account actions, especially because the test flow normalizes moving from dry run to live execution.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions include concrete credentials/environment variables (`FS_USERNAME`, `FS_PASSWORD`) and direct the user to create and export a GitHub PAT, yet they provide no sensitive-handling guidance, redaction warning, or secret-management precautions. This creates a credible path to credential leakage through shell history, logs, screenshots, copied reports, or reuse of real tokens in an environment that also performs authenticated trading actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The manifest documents a predictable default password value ('simmer-wc-bot') for an account used by the trading skill. Even if framed as optional or intended for first-run convenience, publishing a shared default credential materially increases the risk of account takeover, especially if users deploy without overriding it or if accounts are auto-created on first run. In a trading/bot context, compromised accounts could be used to place unwanted trades, manipulate positions, or impersonate the user on the platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client persists a long-lived bearer token to disk in plaintext JSON with no file-permission hardening, encryption, or explicit user consent. Any local user, malware, backup system, or process with access to that path can reuse the token to authenticate as the user and perform trading actions until the token expires.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code uses a hardcoded fallback password ("simmer-wc-bot") when FS_PASSWORD is unset. In an auto-signup/login flow, this can lead to predictable credentials, accidental account sharing across deployments, and unauthorized access to the trading account if the username is known or guessed.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
FUNCTIONSPACE_HANDOFF.md:25