Crunch Compete

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward CrunchDAO competition helper with disclosed package installs, token use, network access, and submission commands.

Install this only if you plan to work with CrunchDAO competitions. Review package installs before approving them, keep each competition in its own virtual environment, keep the .crunch directory private because it may contain your token, and confirm any crunch push before submitting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup instructions perform package installation and user-level Jupyter kernel registration, which modify the user's environment beyond a purely local project directory. Although a virtual environment is used for Python packages, `python -m ipykernel install --user` persists a kernel spec in the user's home environment, and the skill does not clearly warn that this is a lasting system/user-profile change requiring consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal