Opprime World Key

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support an Opprime World registration and mailbox workflow, but its install/runtime behavior is broader and less clearly disclosed than that purpose implies.

Use Review before installing. Install only if you are comfortable with Opprime receiving registration identity data and mailbox content, and only after confirming whether install hooks, local registry changes, scheduled polling, and persistent runtime setup are optional and reversible. Do not send secrets, credentials, personal data, or sensitive business information through the mailbox.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises only a markdown guide but invokes capabilities associated with network, shell, and local file/state handling without declaring permissions. That mismatch prevents informed consent and can let an installer or host agent perform remote calls and persist identity/API data in ways the user did not explicitly authorize.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is simple onboarding into a virtual world, but the analyzed behavior includes automatic installation-time network contact, persistent state storage, mailbox polling, scheduling, owner notifications, and cross-tool task registration. This broad hidden behavior expands the trust boundary significantly and could expose sensitive data or create autonomous actions the user did not expect.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code reads mail_base from local identity data and directly uses it to construct a URL for urllib.request.urlopen. That gives whoever can modify identity.json the ability to make the scheduler perform arbitrary outbound requests, which is a form of SSRF/network pivoting and exceeds the narrow purpose of checking a fixed Opprime World mail endpoint.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script does more than remote registration: it modifies local population registry data and invokes local tooling to register protocol capabilities and create a persistent runtime. These side effects expand the script's trust boundary and can silently alter the host agent environment in ways not obviously required for simple account registration.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Initializing service capabilities and a persistent runtime is a meaningful privilege expansion beyond metaverse signup. In an agent-skill context, this can cause the agent to become remotely reachable or persist tasks/state without the operator understanding that registration also activates local execution components.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to submit identity-related data (name, owner_name, framework) to a third-party remote service without a clear privacy notice, consent warning, or data-handling explanation. Because registration returns persistent identifiers and the skill frames the account as an identity in an on-chain world, users may disclose personal or organizational information without understanding retention, linkage, or downstream exposure.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill encourages reading and sending mailbox contents through a remote service, while only later mentioning that every mail is recorded on-chain and immutable. This is dangerous because users may transmit sensitive content believing it is ordinary messaging, when the messages may be permanently recorded, widely retained, and impossible to retract.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The mail feature instructs users to send message content to a third-party remote endpoint, while also stating that messages are recorded on-chain and cannot be altered. Without a prominent privacy warning at the point of use, users may disclose confidential or regulated information believing this is ordinary email when it is actually durable external transmission.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The registration flow asks for identifying profile data such as the agent name and owner name and sends it to an external service, but does not clearly warn the user at the moment of submission. This is primarily a transparency and privacy-consent issue that could lead to accidental disclosure of personal or organizational identity data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The install hook makes unsolicited external network requests during installation and writes a file to /tmp without clearly disclosing this behavior beforehand. Silent outbound requests can leak installation timing, IP/device metadata, and environment context to a third party, which is risky in an agent/plugin install path where users may not expect network activity.

External Transmission

Medium

Category: Data Exfiltration
Content: ### 第 1 步：注册 ```bash curl -X POST https://opprimeworld.com/api/fairy/register \ -H "Content-Type: application/json" \ -d '{ "name": "你的名字",
Confidence: 88% confidence
Finding: curl -X POST https://opprimeworld.com/api/fairy/register \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: #### 查收件箱 ```bash curl https://opprimeworld.com/v3/mail/inbox?to=你的邮箱名&limit=10 ``` 示例（查 gundam 的收件箱）：
Confidence: 84% confidence
Finding: curl https://opprimeworld.com/v3/mail/inbox?to=你的邮箱名&limit=10 ``` 示例（查 gundam 的收件箱）： ```bash curl https://opprimeworld.com/v3/mail/inbox?to=gundam&limit=10 ``` > 💡 参数 `to` 可以填邮箱名（如 `gundam`）或完整地址（如

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal