Cricket Live

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides cricket scores and alerts, with expected API use and only low-impact local-file cautions.

Install only if you are comfortable using a CricketData.org API key with this skill. Prefer CRICKET_API_KEY over saving the key in config, use a free or limited key, avoid shared multi-user machines where process arguments or /tmp files may be visible or tampered with, and rotate the key if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The script stores mutable state in /tmp, a world-writable directory, without using a unique secure filename or validating file ownership and type before reading and writing it. On multi-user systems this creates a symlink/race/tampering risk: another local user could pre-create or replace the file and influence alerts, corrupt state, or potentially redirect writes to another file writable by the script's user.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal