TikiCow

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TikiCow game skill, but it gives an agent a live game token that can change account state.

Install only if you are comfortable letting an agent act in your TikiCow account. Generate codes only inside the official game, treat the returned token like a password, avoid logging or sharing it, and require explicit approval before marketplace trades, bot registration, or other state-changing actions if you do not want autonomous play.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to store and use a bearer token but gives no warning that the token is a sensitive credential tied to a live game account. That omission increases the chance the token will be logged, echoed back to users, or reused insecurely, enabling account actions such as trades, farming, or bot registration if exposed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal