Back to skill

Security audit

Sports Pronostics

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent football prediction helper, but it uses a RapidAPI football service and broad football-related triggers that users should understand before installing.

Install only if you are comfortable with football-related prompts making external RapidAPI calls and using your RapidAPI key or quota. Use a dedicated limited-scope RapidAPI key, confirm RAPIDAPI_HOST points to the intended football-data provider, and expect French responses unless you instruct the agent otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition activates on very common terms like football, matches, or betting, which can cause the skill to engage in many conversations where the user did not explicitly ask for sports predictions. This increases the chance of unintended tool use, scope creep, and responses that override the user's preferred context or language/style.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill is written to force French-language behavior without checking the user's language preference. This can cause unwanted takeover of the conversation style, reduce usability, and create prompt-priority conflicts when the user is interacting in another language.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends user-influenced parameters and an API credential to a third-party service without any disclosure, consent, or visible indication to the user that their requests are being transmitted externally. In an agent setting, this creates a privacy and transparency risk because ordinary football-related prompts can cause silent outbound requests, and any user-provided identifiers or query values may be exposed to the external provider.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list includes very broad terms such as "match", "foot", "football", and "score", which are likely to appear in ordinary conversation and can cause unintended skill activation. In an agent environment, this increases the chance of silent network access and third-party data transmission when the user did not intend to invoke this skill, amplifying both privacy and control risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
sports-pronostics.js:6