Back to skill

Security audit

Football Tracker Match & News AI

Security checks across malware telemetry and agentic risk

Overview

The football tracker is mostly purpose-aligned, but it handles API keys in a way users should review carefully before installing.

Install only if you are comfortable giving this skill a football-data.org API key. Prefer using a dedicated low-privilege key, rotate any key that was accidentally bundled or pasted into chat, and remove stored keys from storage/user_config.json when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions, yet its documented behavior requires reading configuration, writing user-specific API keys to disk, accessing environment/config state, and making network requests. This hidden capability expansion undermines least-privilege expectations and can cause the host agent to grant broader access than users or reviewers realize, especially because it handles secrets and persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The public description says the skill is a football tracker, but the spec also instructs it to accept and persist user API keys and maintain on-disk user configuration. That behavior materially changes the trust model: users may provide credentials to a skill that does not transparently advertise secret handling and local storage, increasing the risk of accidental disclosure, overcollection, or insecure retention.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill persists per-user API keys to a local JSON file even though the stated functionality is only football tracking and summaries. Storing secrets on disk in plaintext expands the attack surface: any local file read, backup exposure, shared workspace access, or log/debug mishandling can disclose users' credentials, and the mismatch with the manifest makes the behavior harder for users to anticipate or consent to.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest-to-code mismatch is a real security concern because the skill claims to provide football information but also implements persistent storage of user API keys. Hidden or undocumented credential handling undermines informed consent and creates an unnecessary sensitive-data collection path that could be abused or accidentally exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly accepts an API key via normal chat input and stores it, but provides no warning about the sensitivity of the credential, how it will be stored, or whether it may appear in logs, transcripts, or model context. In an agent/chat environment, asking users to paste secrets directly into conversation is dangerous because those values may be retained, exposed to operators, or mishandled by downstream components.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes sensitive API keys directly to disk in plaintext JSON with no visible disclosure, protection, or access controls. If the host is multi-user, compromised, synced to cloud storage, or included in backups, those keys can be recovered and used to access upstream services on behalf of users.

Ssd 3

Medium
Confidence
97% confidence
Finding
The setup text tells users, 'You can send the key to me and I will finish the configuration for you,' which actively encourages transmission of a secret through the assistant channel. That normalizes unsafe secret handling and increases the chance that API keys are exposed in chat logs, telemetry, prompt history, or other systems that are not appropriate for credential exchange.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.