Taptap Godot Integration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TapTap integration guide for Godot games, with expected cloud save and social features that developers should disclose clearly to players.

Reasonable to install if you are building a Godot Android game with TapTap features. Before using the sample in production, add clear player-facing privacy notices, minimize friend/profile scopes, avoid putting secrets or unnecessary personal data in save files, and confirm before replacing local saves with cloud data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill implements cloud save upload, list retrieval, and restore flows that can transmit and overwrite player save data without requiring an explicit user-facing consent or conflict-resolution UX. This creates privacy and integrity risks: users may not understand their game state is being uploaded remotely, and automatic restore logic can replace local progress with cloud data unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The login flow requests profile and friends scopes and the plugin exposes friend-list retrieval, but the documentation does not clearly warn that social graph data will be requested and processed. This is dangerous because developers may integrate it without proper consent messaging, creating unnecessary collection of personal and relationship data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal