Loot Drop

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only gamification skill that creates fictional coding loot rewards and shows no evidence of code execution, credential use, data exfiltration, or destructive behavior.

Safe to install for light coding gamification. Avoid enabling automatic use in sensitive repositories or real incident channels unless you are comfortable sharing commit, release, or incident context with the agent for flavor text generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill declares that it 'runs automatically on qualifying events' such as commits, releases, and incidents, but does not define clear scope, gating, or user-consent boundaries for those triggers. Ambiguous auto-invocation can cause the skill to activate in unexpected contexts, creating prompt spam, workflow disruption, or unintended processing of sensitive work context from commits and incident metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal