BotBrag

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed BotBrag integration, but users should treat Bitcoin donations and leaderboard messages as real, public actions.

Before using donation features, confirm the exact amount and recipient flow, remember Bitcoin payments are generally irreversible, and only submit sender names, messages, or URLs that you are comfortable having displayed publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to create Bitcoin donations and submit public-facing content (`senderName`, `message`, `url`) but does not warn about irreversible financial transfer, potential public disclosure, or reputational/privacy consequences. In an agent setting, this can lead to unintended payment actions or publication of user-supplied content to a public leaderboard without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal