Steam Games CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Steam library helper, with expected API key use and no evidence of hidden or destructive behavior.

Install only if you trust the `steam-games-cli` npm package and are comfortable giving it a Steam API key and Steam ID to read your Steam profile/library data. Use a revocable Steam API key, avoid sharing it in chats or logs, and revoke or remove it if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill requires a Steam API key and describes remote filtering for reviews, Deck compatibility, and tags, but it does not clearly warn that game/library-related data and identifiers may be sent to Steam Web API services. In an agent context, users may assume analysis is local, so the absence of a disclosure can lead to unintentional data sharing and privacy surprises.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal