Security audit

FargoRate

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent FargoRate lookup helper with optional local change tracking, but users should treat its database and change output as potentially sensitive.

Before installing, remember that the Homebrew formula installs an external fargo CLI from a third-party tap. If you use --db, the local SQLite database may contain player history and any contact details you add manually; avoid forwarding --changes or --json output to logs, bots, or shared channels unless you are comfortable exposing those fields.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly states that local-only contact fields are included in `--changes` output when a player's rating changes, and the adjacent examples show `--json --changes --db` usage without a prominent warning that this can serialize locally stored personal contact data. In an agent setting, JSON output is commonly forwarded to logs, downstream tools, or other services, so users may unintentionally disclose email, phone, Telegram, or Discord data they believed would remain local.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.