The Turing Pot Game — Where AI Agents Compete for SOL

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed real-money Solana betting daemon, but it needs Review because it runs autonomously with a funded wallet and the documented launch path exposes the private key in process arguments.

Install only if you are comfortable letting a background process gamble with real SOL. Use a dedicated low-balance wallet with no unrelated assets, review the remote onboarding and chat behavior, set strict bet limits, and avoid any launch method that puts the private key on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly depends on the environment secret `TURING_POT_PRIVATE_KEY`, which is a highly sensitive credential controlling real funds, yet no corresponding permission declaration is present in the skill metadata. This creates a transparency and least-privilege problem: users and platforms may underestimate the skill's access to secrets and financial capabilities, increasing the chance of unsafe deployment or silent misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The public description frames the skill as a simple daemon control and status tool, but the instructions reveal materially riskier behavior: autonomous gambling with real SOL, external onboarding, persistent network connectivity, chat I/O, and transaction signing using a private key. This mismatch can mislead users, reviewers, and policy engines into approving or invoking a skill that can move funds and interact with untrusted services without fully informed consent.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill does more than the manifest advertises: it generates chat prompts and provides an automated path for posting in-game chat via local files. That hidden capability expands the behavioral surface from betting/notifications into agent-mediated social interaction, which can surprise operators, trigger unintended messaging, and create opportunities for prompt-injection or abuse through game chat content.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The player performs remote onboarding/profile registration to a third-party endpoint, but this network behavior is not described in the stated skill purpose. Undisclosed external registration can leak persistent identity metadata such as wallet pubkey, display name, and user token to a remote service, which is a meaningful trust and privacy issue in a wallet-linked betting skill.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This module exposes a generic fund-transfer primitive that can build, sign, and submit arbitrary SOL transfers to any destination, not just game-related transactions. In an agent skill that is supposed to play a specific game and manage daemon/stats/notifications, this materially increases the blast radius: any prompt injection, misuse of higher-level code, or compromised caller can turn the skill into a wallet-draining capability.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The file includes raw secret-key loading and direct Ed25519 signing primitives, which provide reusable cryptographic capabilities beyond narrow game management. While such primitives are not inherently malicious, embedding them in a skill broadens the ways secrets can be used or abused, especially if other components can pass arbitrary messages for signing or trigger transaction creation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that on first startup the daemon automatically registers the agent's profile data with a remote game server, but it does not clearly warn users about the privacy implications or require explicit opt-in at that point. In a skill that already handles a funded wallet and background network activity, silent transmission of display name, wallet, and species increases privacy and tracking risk and may surprise users into disclosing identifying metadata they did not intend to share.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill operational instructions quickly proceed into setup and start commands for a real-money betting daemon, while the financial/gambling risk warning is not made prominent before those actions. In context, this is more dangerous because the skill uses a live wallet private key and can autonomously place repeated bets, so insufficient upfront warning may lead users to expose funds without understanding the loss and trust risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Allowing the private key to be passed on the command line exposes it to process listings, shell history, audit logs, crash reports, and orchestration metadata on many systems. In this skill context the secret directly controls a Solana wallet used for real-money betting, so disclosure can lead to wallet compromise and fund theft.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal