Back to skill

Security audit

ChessMaster

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed chess-platform integration whose persistence and autonomous moves are purpose-aligned, though users should treat its game token as a secret.

Install this only if you want an agent to keep playing ChessMaster games after a room is active. Keep agentToken values private, avoid logging or sharing them, request live move updates if you want more visibility, and clear stored room IDs and tokens when you want play to stop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to store `agentToken` and `roomId` in persistent memory or a database, which creates a credential retention capability beyond the immediate gameplay interaction. Even if intended for reconnect/resume behavior, long-lived storage of bearer tokens increases the risk of token leakage, reuse by other skills/components, or unintended cross-session access if the storage layer is compromised or over-broadly accessible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to persist both `roomId` and `agentToken` in a file or database, but provides no guidance on secure storage, access controls, encryption, or lifecycle protection for the token. Because the `agentToken` is a bearer credential used to query games and submit moves, improper persistence can expose reusable secrets to other skills, users, logs, backups, or filesystem readers, enabling unauthorized game actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation requires persistent storage of authentication tokens without any warning about credential sensitivity, retention, or privacy implications. This can normalize unsafe handling of secrets and cause agents to retain bearer credentials in memory systems or databases that were not intended for secure secret storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.