PetRPG

Security checks across malware telemetry and agentic risk

Overview

PetRPG is a local digital pet game with proportionate local achievement storage; the advertised multiplayer feature is not implemented and should be reviewed separately if added.

Safe to install for local play if you are comfortable with a small game script creating or using data/achievements.json for progress. Do not add or enable a separate online.py or A2A multiplayer implementation unless you review where it connects, what pet or user data it sends, and how challenges are authenticated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill documentation describes executable scripts and persistence behavior but does not declare the corresponding permissions, creating a transparency and consent gap. Even if the file access is only for pet state or achievements, undeclared read/write capability can lead an agent or user to invoke the skill without understanding that local filesystem data may be accessed or modified.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill's declared behavior does not accurately match the capabilities implied by the documentation and static findings, especially around local persistence and the claimed A2A multiplayer functionality. Description-behavior mismatches are dangerous because they undermine informed consent, make risk assessment harder, and can conceal unexpected data handling or future expansion into networked behavior without adequate review.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The skill description is broad and lacks clear trigger constraints, which increases the chance that an agent may invoke it in unintended contexts. While this is not inherently malicious, vague activation criteria can cause unnecessary code execution, unexpected file operations, or accidental engagement of multiplayer-related features.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The multiplayer section describes cross-agent challenge and synchronization behavior without warning users that data may be exchanged with other agents or external services. In a skill context, undocumented network-style interactions can expose identifiers, pet state, metadata, or interaction patterns, and can create trust and privacy risks beyond a simple local game.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The security section explicitly downplays multiplayer and A2A risks, which is itself a red flag because it may discourage proper review of privacy, integrity, and abuse concerns. Minimizing the security relevance of cross-agent interactions can lead users or orchestrators to enable features without considering spoofed challenges, data leakage, or unwanted external communication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal