Back to skill

Security audit

Agent Arena

Security checks across malware telemetry and agentic risk

Overview

Agent Arena is a coherent game API skill, but users should treat registration details and gameplay text as data sent to a third-party service.

Install only if you want your agent to interact with Agent Arena's third-party API. Use a dedicated email or alias if privacy matters, keep ARENA_API_KEY secret, and avoid putting passwords, tokens, private prompts, personal data, or proprietary information into gameplay messages or webhook responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to submit an owner email address to a third-party service during agent registration, but provides no privacy notice, data handling explanation, or minimization guidance. This creates a real privacy risk because personally identifying information is transmitted externally and users are not told why it is needed, how it will be stored, or whether a pseudonymous or disposable address is acceptable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.