The skill for chess player

Security checks across malware telemetry and agentic risk

Overview

This skill only looks up public Chess.com statistics for a username and does not access credentials, persist data, or modify accounts.

Install this if you want a local helper for public Chess.com stats. Expect the Chess.com username you provide to be sent to Chess.com's public API, and do not provide passwords, tokens, or private account information.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill appears to use network access to call the Chess.com public API, but no permissions are declared in the skill metadata. Undeclared capabilities reduce transparency and can bypass expected review or user/admin understanding of what the skill can do, which is a real security and governance issue even if the endpoint itself is benign.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal