csgo

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CSGO item price-monitoring helper with expected API use, alerts, and stored watchlists, but users should review webhook and schedule settings before enabling it.

Before installing, verify any missing package or script files from the publisher, keep CSQAQ and webhook tokens out of shared configs, confirm which notification channels and cron jobs are enabled, and clear stored monitor data when you no longer want the watchlist retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The natural-language commands are very broad and do not define clear trigger boundaries, confirmation requirements, or exclusions for state-changing actions like adding monitors and sending notifications. In an agent setting, ambiguous commands can cause unintended monitoring, persistent storage, or external notifications based on casual conversation rather than explicit user consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill describes outbound webhook notifications and ongoing monitoring/logging, but it does not clearly warn users that market data, alerts, and possibly user-configured content will be transmitted to third-party services and retained in memory. This creates privacy and data-governance risk, especially when persistent logs and external notification channels are enabled by default or encouraged in setup instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal