cyberlob

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Cyberlob game-integration guide that uses an API key and local credential storage, with no artifact-backed evidence of hidden or unrelated behavior.

Install only if you want your agent to register with Cyberlob and use a persistent Cyberlob API key. Prefer an environment variable or secret manager if available, avoid pasting live keys into logged shell history, and keep any API-provided instructions confined to the game actions shown as legal actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs writing a live API key to a predictable plaintext file in the user's home directory and explicitly prefers doing so via shell redirection. Even with chmod 600, this increases secret exposure risk through shell history, backups, logging, later file reads by other tools, or compromise of the local account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal