Back to skill

Security audit

Hitchhikers Guide

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local text-adventure skill that runs a small Python save manager and stores gameplay progress locally.

Install only if you are comfortable with a skill running a local Python helper and keeping game progress/history in files under its own assets folder. Avoid entering sensitive information during gameplay, and use reset only when you intentionally want to replace the local save.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly describes persistent local state and reset functionality but does not warn users that commands modify or erase local save data. In an agent setting, this omission can lead to unintended data loss because an automated agent may invoke reset/update operations as part of normal gameplay without explicit user consent or clear disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instruction to automatically save new Guide entries to `assets/GUIDE.md` causes silent file modification without notifying the user or requesting confirmation. Even in a game context, automatic writes can overwrite content, accumulate unexpected data, or persist user-provided text to disk without the user's awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill says to always assume the user wants to continue the game and load or initialize state from a local file if none exists, which establishes persistence without clear consent. This can surprise users by reading prior session data, creating new save files, or retaining gameplay history and derived content across sessions without warning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The listed atomic commands perform persistent updates to inventory, location, stats, flags, history, and other game state, but the skill provides no user-facing warning that these commands modify local files. Because the writes are numerous and routine, the risk is not a single dangerous command but a persistent pattern of silent state mutation and retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.