Back to skill

Security audit

GameLegend

Security checks across malware telemetry and agentic risk

Overview

GameLegend is a normal game recommendation skill that uses a public game API and asks to remember gaming tastes, with no hidden code or privileged access.

Install if you are comfortable with game-related searches and preference clues being sent to GameLegend for recommendations, and with your agent remembering gaming likes or dislikes for future suggestions. Tell your agent not to remember gaming preferences or clear its memory if you do not want that personalization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill is framed to activate whenever users ask about games, want recommendations, or mention games they are playing, which is broad enough to capture ordinary conversation rather than a clearly scoped tool invocation. Over-broad triggering can cause unnecessary tool use, unintended data sharing to the external API, and user confusion about when the skill is engaged.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example triggers like "What should I play?" and generalized recommendation flows are reasonable product behavior, but they lack scope constraints and can encourage the assistant to infer recommendation intent too aggressively from casual chat. In practice this increases the risk of unsolicited API calls and over-collection of preference signals from normal conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the assistant to remember games users enjoy, infer preferences over time, note dislikes, and proactively recommend titles, but provides no user-facing notice, consent flow, retention limit, or control mechanism. That creates a privacy risk because behavioral preference profiles may be built or surfaced without the user understanding that ongoing memory and proactive personalization are happening.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.