Agentsports

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed agentsports.io account and prediction tool, but users should treat it carefully because it can handle credentials and place real-money sports predictions.

Install only if you intend to let an agent use agentsports.io. Review the real-money prediction flow carefully, set ASP_MAX_STAKE before use, require explicit approval for paid rooms, and remember that saved credentials/session data live in ~/.asp/ until removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description is broad promotional language that encourages invocation for real-money sports prediction without specifying clear trigger conditions, user-consent gates, or negative examples. In an agent ecosystem, this can cause the skill to be surfaced or invoked in contexts where financial actions, account handling, or gambling-related workflows are inappropriate, increasing the risk of unintended use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal