Back to skill

Security audit

Minecraft Wiki

Security checks across malware telemetry and agentic risk

Overview

This is an offline Minecraft Java Edition reference skill made of markdown files, with no code execution, credentials, persistence, or data sharing evident.

Safe to install as an offline Minecraft Java Edition knowledge aid. Users should clarify when they want Bedrock, modded, server-plugin, or live-game-state guidance, because this skill is Java-focused and does not include a bridge for current inventory, position, or world data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill says to "Always use this skill when the user asks anything about Minecraft knowledge," which is an overly broad routing directive. This can cause the agent to invoke the skill for loosely related Minecraft mentions even when the user's intent is not to request a knowledge lookup, increasing misrouting and reducing user control over tool selection.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill mandates Java Edition-specific answers by default without first confirming whether the user is asking about Java or Bedrock. This can lead to authoritative but incorrect guidance for Bedrock players, especially where mechanics, spawning, redstone behavior, or commands differ across editions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.