World Cup 2026 DEEP analysis

Security checks across malware telemetry and agentic risk

Overview

This football analysis skill is purpose-aligned and transparent, with local calibration and optional sports-data API use that fit its stated prediction workflow.

Install only if you want an agent to perform football prediction workflows that may search the web, optionally use odds or football-data API keys, and update the skill's local model files. Review sourced calibration inputs because incorrect match data can change future predictions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: This script performs persistent data mutations: it overwrites rating/stat files and appends schedule/calibration state on disk based on externally supplied JSON. In an agent skill advertised primarily for analysis/prediction, these side effects increase risk because untrusted or mistaken inputs can poison future predictions or corrupt local state beyond a single run.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger text is very broad, covering not only match prediction but essentially any mention of football, World Cup, major leagues, odds, schedules, or team comparisons. Overbroad activation increases the chance the skill is invoked in contexts the user did not intend, which is riskier here because the skill can search the web, access credentials, and write local files during its standard workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal