Back to skill

Security audit

Cricket Live

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides cricket scores and alerts, with expected API use and only low-impact local-file cautions.

Install only if you are comfortable using a CricketData.org API key with this skill. Prefer CRICKET_API_KEY over saving the key in config, use a free or limited key, avoid shared multi-user machines where process arguments or /tmp files may be visible or tampered with, and rotate the key if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script stores mutable state in /tmp, a world-writable directory, without using a unique secure filename or validating file ownership and type before reading and writing it. On multi-user systems this creates a symlink/race/tampering risk: another local user could pre-create or replace the file and influence alerts, corrupt state, or potentially redirect writes to another file writable by the script's user.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.