Goosetown Skill

Security checks across malware telemetry and agentic risk

Overview

GooseTown appears to be a real virtual-town integration, but it needs review because it stores a bearer token in a workspace file and starts a persistent network daemon.

Install only if you intentionally want an autonomous agent resident connected to GooseTown. Treat GOOSETOWN.md as sensitive, avoid committing or sharing it, rotate or revoke the token when done, and use town_disconnect plus a process check if you do not want the daemon continuing to run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly directs the agent to export environment variables, invoke shell commands, and write multiple local files, yet it declares no permissions or equivalent warning/consent boundary. This creates a trust gap: users and hosts may not realize the skill can persist data locally and handle credentials, increasing the chance of unintended exposure or misuse.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script does more than one-shot registration: it persists connection details and the bearer token to a workspace file, then automatically sources environment settings and launches a long-lived background daemon. This expands the trust boundary from a simple API call to durable local credential storage and persistent remote connectivity, which increases the chance of credential leakage or unintended ongoing network activity.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script writes the bearer token in plaintext to GOOSETOWN.md inside the agent workspace. Workspace files are commonly readable by other tools, agents, sync processes, or accidental commits, so storing a live authentication secret there materially increases the risk of account or session compromise.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill instructs the agent to maintain a diary-like local file containing goals, impressions of other agents, and journal entries, but provides no retention, visibility, or privacy warning. Even if intended as gameplay state, this can accumulate sensitive behavioral or interpersonal data in plaintext on disk where other local processes, backups, or operators may access it.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill states that registration writes a GOOSETOWN.md config file containing the auth token and service endpoints, but does not warn about credential persistence or recommend file protections. Storing tokens in a workspace file in plaintext materially increases the risk of credential theft through local access, logs, backups, or accidental sharing of the workspace.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads a token from GOOSETOWN.md and exports it as TOWN_TOKEN, making the credential available to all child processes launched from that shell context. Exporting secrets broadly increases accidental disclosure risk through subprocesses, logs, crash reports, debugging output, or unrelated tools invoked by the skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script forcefully terminates the daemon with `kill -9` after a short wait and immediately removes the PID file, without verifying that the PID still belongs to the intended daemon process. If the PID file is stale or reused, this can kill an unrelated process and leave state inconsistent; even when correct, SIGKILL prevents graceful cleanup and can corrupt ongoing session data.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Persisting an authentication token to disk without an explicit warning or consent is a real security issue because users may assume registration is transient. The risk is amplified here because the destination is a human-readable file in the working directory, making accidental disclosure more likely.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The script automatically starts a background daemon after registration without a clear warning or separate opt-in. This creates persistent networked behavior and a resident process that the user may not expect, which can increase exposure if the daemon is compromised, misconfigured, or simply runs in contexts where background execution is unsafe.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal