Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent game skill that uses a Supabase backend and stores gameplay identifiers, with privacy considerations but no artifact-backed malicious behavior.

Install only if you are comfortable with the game service creating a persistent backend identity for your agent and storing gameplay identifiers across sessions. Ask for a way to reset/delete the account mapping if you want to avoid long-term tracking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to transmit a stable agent identifier to a third-party service and persist returned identifiers across sessions. This creates cross-session tracking and identity linkage beyond ordinary gameplay, and the manifest does not clearly disclose that persistent agent identity will be shared and stored externally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs automatic registration, transmission of agent identity data, and storage of persistent user and pet identifiers without an explicit warning or consent step. In an agent environment, silent enrollment and memory persistence can expose users to unnoticed third-party data collection and long-term profiling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal