Back to skill

Security audit

Game Sentiment Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a real game-sentiment monitoring skill, but it needs review because it stores third-party credentials and automates logged-in forum access including CAPTCHA handling.

Review before installing. Prefer public and official-API channels, avoid giving passwords in chat, use restricted or disposable credentials if you enable authenticated channels, disable NGA CAPTCHA automation unless you accept the account-risk and platform-policy implications, and confirm exactly what will be sent to Feishu and retained under `game-sentiment-data`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill asks users to provide and store third-party credentials and API keys in a workspace file, which introduces secret-handling risk beyond simple public sentiment scanning. Because the skill is framed as scanning public feedback, collecting reusable credentials materially expands its access and breach impact if the workspace, logs, or downstream tools are compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill can direct installation of Playwright via `mcporter add playwright`, which changes the local environment and exceeds pure reporting/analysis behavior. Allowing a content skill to initiate tooling installation increases the blast radius from passive analysis to administrative modification of the host system.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The NGA login flow explicitly includes captcha handling and AI recognition, which is a strong indicator of attempting to automate access controls rather than simply reading public content. Bypassing or automating anti-bot challenges materially increases legal, policy, and account-security risk and goes beyond the skill's stated public-monitoring purpose.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest says the skill scans public feedback, but the documented Discord behavior targets `discord.com/channels/@me`, which implies logged-in/private account context rather than public web content. This is a capability mismatch that could expose private or semi-private conversations and mislead users about the data sources being accessed.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill's stated purpose is public-feedback monitoring, yet the execution flow includes direct NGA login using stored credentials. This mismatch is dangerous because it silently broadens the skill from public scraping to authenticated access, increasing privacy, security, and abuse potential.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Storing user credentials in a workspace credential file is outside the minimal expectations set by a reporting and alerting skill. Even if intended for convenience, this expands the consequences of file disclosure, backup leakage, or accidental sharing of the workspace.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The strategy goes beyond passive sentiment collection and explicitly automates access-barrier bypass behaviors such as credentialed login, CAPTCHA solving via AI, and ad-skip handling. In a monitoring skill, these capabilities materially expand the agent's power to access gated content and interact with protected flows, increasing the risk of unauthorized account use, terms-of-service violations, and unsafe automation on third-party platforms.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document instructs the agent to read usernames/passwords and API secrets from local credential files, even though the skill is presented as sentiment monitoring rather than secret-dependent account operations. That creates an unnecessary secret-access capability and could lead to credential misuse, lateral access to unrelated accounts, or accidental exfiltration through prompts, logs, or downstream requests.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Recommending proxy/IP workarounds for blocked platforms expands the skill from analysis into circumvention of platform access controls. Even if framed as reliability guidance, it encourages evasion of provider restrictions and can expose users to compliance, abuse-detection, or legal risk unrelated to the stated monitoring purpose.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill solicits sensitive credentials and API keys without a clear warning about how they will be stored, retained, and protected. Lack of informed consent around secret handling makes accidental disclosure and unsafe user behavior more likely, especially in a conversational workflow.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Directing installation of Playwright without an explicit warning obscures that the skill may modify the user's environment. That reduces informed consent and can lead users to authorize administrative actions they did not expect from a monitoring/report skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill persistently writes configs, reports, raw data, and execution state to the workspace without clearly warning users about local data retention. For a monitoring workflow, those artifacts may include sensitive search terms, collected content, URLs, and account-related metadata that users may not expect to remain on disk.

Missing User Warnings

High
Confidence
94% confidence
Finding
Sending summaries and P1 alerts to Feishu transmits collected findings to an external service, but the skill does not prominently warn users about that external data flow. This creates privacy and confidentiality risk if reports include sensitive incident details, internal interpretations, or evidence excerpts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file tells the agent to read credentials from a local path without clearly disclosing that sensitive secrets will be accessed. This creates a transparency and least-privilege failure: users may invoke a sentiment scan without realizing the skill can touch stored account credentials, increasing the risk of unauthorized secret use or disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automated login combined with CAPTCHA handling is a risky account-access workflow, yet the strategy provides no warning about account lockout, anti-bot enforcement, or the sensitivity of using stored credentials in browser automation. In context, this makes the skill more dangerous because sentiment monitoring does not inherently require interactive account automation on third-party sites.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The strategy specifies pulling a YouTube API key from a local credentials file and sending it in outbound requests without warning users that a secret is being accessed and transmitted. While official API use is less risky than credentialed scraping, undisclosed secret handling still creates avoidable exposure and violates the principle of transparent, minimal secret use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.