Security audit

FPL(Fantasy Premier League) assistant

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Fantasy Premier League helper that makes purpose-aligned public FPL API lookups and does not include executable code, credentials, persistence, or destructive behavior.

Safe to install for FPL advice. Only share a manager ID or squad details you want analyzed, do not provide FPL passwords or tokens, and consider narrowing the trigger phrases if accidental activation in non-FPL conversations would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger set includes very broad terms like "fantasy," "captain," and "transfer," which can cause the skill to activate outside genuine FPL contexts. In an agent system, overbroad activation can lead to inappropriate routing, unintended external calls, or unnecessary collection of user/game data, even if the content itself is not overtly malicious.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs the agent to fetch live FPL API data, including a manager-specific squad endpoint using a manager ID, without any privacy notice, consent step, or minimization guidance. This can cause user-linked identifiers and roster data to be transmitted to an external service without clear disclosure, which is risky in an agent environment where users may not realize external requests are being made on their behalf.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger list includes the standalone term "fantasy," which is overly broad and likely to match many unrelated conversations such as fantasy books, films, sports other than FPL, or imaginative writing. This can cause unintended skill invocation, leading the agent to apply the wrong workflow, fetch irrelevant external data, or steer the conversation away from the user's actual intent.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.