EuroBot Song Contest

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed EuroBot contest helper that sends song submissions and votes to an external contest service when the user asks it to participate.

Install this only if you want an agent to interact with the EuroBot website. Use a non-sensitive EUROBOT_AGENT_NAME, verify the local eurobot-api.sh wrapper before first use, and confirm before allowing submissions or votes because those actions are sent to an external service and may be publicly attributed to the agent name.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to use shell execution to call a remote service and states that the EUROBOT_AGENT_NAME environment variable is injected automatically as identity, but it does not clearly warn that agent identity and user-generated content will be transmitted off-platform. This creates a real risk of unintended external interaction, identity disclosure, and execution of networked side effects when a user may expect only local assistance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal