Security audit

我的世界JAVA版本MOD搜索整合Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Minecraft mod search helper with disclosed network searches and optional CurseForge API key use, with no evidence of hidden, destructive, or unrelated behavior.

Install if you want Minecraft Java mod recommendations and are comfortable with search queries going to Modrinth, CurseForge, and mcmod.cn. Prefer using an environment variable or runtime argument for the CurseForge API key instead of writing it into shared files, and confirm ambiguous requests before letting the skill run network searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes very broad terms such as generic mod-, gun-, and mechanical-related words that can cause the skill to activate in unintended contexts. Overbroad activation can route unrelated user prompts into a network-enabled skill, increasing chances of unnecessary external queries and incorrect tool use.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The modpack analyzer mode is triggered by ambiguous conditions like '3 or more functional directions' or broad phrases such as 'modpack recommendation.' This can cause the skill to enter a more complex, network-heavy workflow without clear user intent, amplifying the risk of over-collection, misrouting, and irrelevant recommendations.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The synonym table contains broad triggers such as ‘地图’, ‘维度’, ‘建筑’, and ‘魔法’, which can overlap with ordinary user wording and cause the agent to invoke this skill or make recommendations when the user did not actually request Minecraft mod search. In this skill’s context, that creates scope confusion and unreliable routing rather than direct code execution, but it can still mislead users, produce irrelevant recommendations, and suppress use of more appropriate skills or APIs.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill hard-codes the `Accept-Language: zh-CN,zh;q=0.9` header for MC百科 requests, forcing a Chinese locale regardless of user preference or workspace policy. This can leak inferred user locale/preferences to a third party and may cause region-specific content behavior without explicit consent, though the impact is limited compared with credential or code-execution issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal