Steam Lowest Price Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Steam price watcher, though its documentation overstates historical-low behavior and users may receive ordinary discount alerts.

Install only if you are comfortable with the skill saving your watched games and target prices locally and contacting CheapShark and Steam. Treat it as a Steam discount and target-price notifier, not a verified all-time historical-low tracker, unless the implementation is updated.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises executable behaviors that imply file read/write and network access, but it does not declare any permissions. This creates a transparency and governance gap: reviewers, users, and enforcement systems cannot accurately assess or constrain what the skill can do, increasing the risk of over-privileged execution and unnoticed data handling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented behavior does not match the described purpose, especially around what counts as a historical low and when alerts are sent. This can mislead users and operators into trusting inaccurate alerts or authorizing capabilities under false assumptions, which is a security-relevant integrity issue even if it is not direct code execution.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The implementation triggers alerts for any discounted price, even though the skill promises alerts only for historical lows or user-defined target prices. This creates a behavior/security mismatch: users may trust the agent to notify only on stricter conditions, but instead it can generate noisy or misleading alerts and drive unintended actions. In an automation or agent context, violating declared trigger conditions is a real integrity issue because downstream workflows may act on inaccurate alert semantics.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal