Aavegotchi 3D Renderer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: render Aavegotchi assets through public APIs and save the resulting JSON and PNG files locally.

Install only if you are comfortable running a local Node script that contacts Goldsky and Aavegotchi, starts renderer work for the token you provide, and saves JSON/PNG artifacts to /tmp or a directory you choose. Avoid running it with elevated privileges or setting --out-dir to sensitive system folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill explicitly instructs saving raw API responses and rendered artifacts to local disk without warning the user or requiring explicit consent. While the data involved appears operational rather than highly sensitive, silent file creation can still surprise users, leak data into shared temporary directories, and leave residual artifacts that persist beyond the session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal