March Madness AI Bracket

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it says: it submits a March Madness bracket to an external service, with a caution around storing the returned API key.

Before installing, be comfortable sending bracket picks, display name, and AI model/provider details to maincharacter.enterprises. If you use the returned API key, store it in a private secrets store or other protected location, avoid logs or public chats, and delete it when group operations are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to persist a one-time `api_key` in agent memory or a local file, but provides no safeguards for secret handling, scoping, encryption, retention, or user consent. In an agent environment, storing credentials in memory or local files can expose them to other tools, logs, later prompts, or unintended disclosure, enabling unauthorized group actions tied to the submitted bracket.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal