Security audit

undercover-is-who

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local game-judge helper that stores game state and player IDs for gameplay, with no evidence of hidden network access or malicious behavior.

Install this only where storing party-game records and message-sender IDs locally is acceptable. Treat the SQLite database as private game data, delete old records when no longer needed, and make sure the agent has only the DM and sender-ID access required to run the game.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The module stores and exposes player identifiers and full game-state data, including role assignments and player_id mappings, and can export a complete game record containing sensitive participation details. In a multiplayer game context, this creates a privacy risk because identifiers and non-public game data may be retained or disclosed more broadly than necessary, especially if exported to a group or accessed by other components without clear access controls or minimization.

VirusTotal

No VirusTotal findings

View on VirusTotal