Trakt

Security checks across malware telemetry and agentic risk

Overview

This Trakt plugin is a coherent account-integration tool, but users should be careful because it can change Trakt watch history and watchlists when asked.

Install this only if you want an agent to access your Trakt account through trakt-cli. Treat write actions such as marking watched, removing history, and changing watchlists as account changes: confirm exact titles and dates before allowing them, and be aware the external trakt-cli and ~/.trakt.yaml OAuth setup are part of the trust boundary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly supports `trakt-cli history add` to modify a user's Trakt watch history, but it provides no guidance to require explicit user confirmation before performing that state-changing action. Because watch history affects a personal account and may be hard to audit or reverse, an agent could incorrectly or prematurely mark items as watched, causing integrity and privacy-related account changes.

VirusTotal

55/55 vendors flagged this plugin as clean.

View on VirusTotal