Back to skill

Security audit

Tcg Strategy Advisor

Security checks across malware telemetry and agentic risk

Overview

This skill is a local card-game strategy helper, but its examples overpromise current tournament and card-value advice.

Install only if you want general TCG deck-structure and strategy framing. Do not rely on it for current metagame rankings, exact competitive decklists, matchup statistics, live prices, or investment advice unless you separately verify that information from current trusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README materially expands the skill from 'clarify a cleaner deck plan without pretending to know the live metagame' into live metagame analysis, matchup guidance, and competitive decklist generation. This scope drift can cause the agent to present unsupported, stale, or hallucinated advice as current strategic guidance, undermining user trust and bypassing the stated safety boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The collection 'investment strategy' scenario pushes the skill into financial-style collectible advice, which is outside the declared purpose of deck-plan clarification. That mismatch increases the risk of users receiving speculative or misleading purchase recommendations without appropriate guardrails, disclosures, or domain support.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
These usage scenarios promise competitive decklists, matchup advice, and pricing guidance that depend on live metagame and market data, directly contradicting the skill's stated descriptive-only scope. This can cause the agent to fabricate current information or appear to have external knowledge it does not possess, leading to misleading advice and scope expansion beyond declared behavior.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The documentation states that the skill does not use live card pools, tournament data, or matchup databases, but later examples and guidance rely on exactly those external sources. Contradictory instructions are dangerous because they create ambiguous operating boundaries, increasing the chance the agent will overclaim capabilities or provide hallucinated real-time advice.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The top-level description claims the skill helps without pretending to know the live metagame, yet later expected outputs require current competitive recommendations. This mismatch encourages deceptive or fabricated responses because the skill advertises one trust boundary while modeling another in examples.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Scenario 2 broadens the skill from deck-structure advising into ladder coaching, replay analysis, metagame tracking, and external community/tool recommendations. This undocumented expansion increases the risk of the agent steering users toward unsupported external dependencies or presenting speculative competitive guidance as part of the core skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.