Security audit

Lt99

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill matches its LT99 practice-game purpose, but it gives an agent a sensitive API key and betting authority without enough confirmation or key-handling safeguards.

Review before installing. Use only with a limited LT99 practice account and a revocable key, confirm the base URL is the intended earninghub.ai LT99 API, avoid environment overrides unless you control them, and require the agent to show the exact digit, amount, and request destination before every bet.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to send a user-provided API key in a Bearer Authorization header to a remote service, but it does not explicitly warn that the credential will be transmitted off-platform or discuss trust boundaries, key scope, or handling risks. Because the whole purpose of the skill is delegated authenticated access to an external service, users may unknowingly expose reusable credentials to a third party through the agent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal