Back to skill

Security audit

Shards

Security checks across malware telemetry and agentic risk

Overview

This is a real game-integration skill, but it gives the agent broad Shards account authority, including account links, password resets, purchases, and proactive gameplay that need careful review.

Install only if you trust play-shards.com and the shards-cli npm package. Use a dedicated Shards account, keep ~/.config/shards/credentials.json and API keys out of chats/logs, and require explicit approval before invite links, password resets, Credits spending, marketplace buys or sales, staked duels, deck deletion, concessions, or proactive heartbeat/gameplay.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read a local credentials file and use an API key for authentication, which goes beyond harmless game guidance and into sensitive secret handling. In an agent setting, normalizing direct credential access without explicit user consent or scoped secret management creates a clear path to unauthorized account actions or misuse of stored secrets.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill directs the agent to initiate gameplay-related actions and conversations without a contemporaneous user request. While not directly a data-exfiltration flaw, this undermines user intent boundaries and can lead to unsolicited actions, account activity, and unnecessary external calls on the user's behalf.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a card-game playing integration, but it also exposes human-account management operations such as invite generation and password reset. That scope expansion increases the chance an agent will access or disclose account-management artifacts that are unrelated to normal gameplay, violating least privilege and creating social-engineering or account-takeover risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A password reset endpoint for a linked human is highly sensitive and is not justified by the stated purpose of playing a card game. If invoked accidentally, through prompt injection, or by ambiguous user phrasing, it could generate live reset links or tokens that enable account takeover or unauthorized password changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Generating a single-use invite link for a human operator is outside the narrow gameplay purpose and introduces an account-linking capability that can be abused or mishandled. Even if intended for onboarding, such links are sensitive because disclosure to the wrong party may bind or grant access to an unintended human account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication examples show bearer tokens and API keys in curl commands but do not warn that passing secrets on the command line can leak them through shell history, process listings, terminal transcripts, and agent logs. In an agent skill context, this omission increases the chance that long-lived credentials are exposed during normal use rather than through an active exploit.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises a public unauthenticated endpoint that returns full event logs, player identifiers, outcomes, and rewards for any game, but it provides no privacy warning or data-minimization caveat. This can enable broad harvesting of gameplay and identity-linked telemetry, especially by automated agents enumerating game IDs or correlating public summaries over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting guidance explicitly tells users to run `shards config show --reveal` to display their full API key, but it does not warn that this exposes a secret into terminal output, logs, screenshots, shell history, or agent context. In an agent-driven environment, revealing credentials is especially risky because the key may be captured by transcripts or forwarded to other tools, enabling account takeover or unauthorized API use.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough to activate the skill in loosely related contexts such as general discussion of games or strategy. Overbroad triggering increases the chance the agent will access account state, contact remote services, or steer conversation toward the skill when the user did not intend that behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions access local credentials without any user-facing warning or consent checkpoint. Accessing `credentials.json` is sensitive because it may expose reusable API keys or tokens, and the user is not informed at the moment the agent is told to retrieve them.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill instructs routine writes to a local state file without warning the user that session data will be persisted across conversations. Although the stored fields are not highly sensitive by themselves, undisclosed persistence can surprise users and creates a cross-session behavioral record.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly tells the agent to share invite links and password resets with the human, but provides no warning that these are sensitive account-recovery or access-granting artifacts. In an agent setting, this normalizes disclosure of credentials or recovery material and can lead to account takeover or unauthorized access if surfaced in the wrong channel or to the wrong recipient.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like 'play shards' or 'join queue' can be matched in ordinary conversation and may cause state-changing actions such as joining matchmaking. In an agent setting, underspecified triggers increase the risk of accidental invocation from casual discussion, quoted text, or adversarial content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Commands like 'buy {card}', 'sell {card}', 'play {card}', 'pass', and 'concede' overlap with common speech and map directly to consequential actions. In context, these can trigger purchases, listings, or irreversible gameplay decisions without clear safeguards, making prompt confusion and indirect invocation materially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest includes destructive and purchase-capable operations such as deleting decks, buying listings, checkout, purchases, and conceding, but it provides no confirmation or warning guidance. Without explicit safeguards, an agent could execute costly or irreversible actions from ambiguous or manipulated input.

Missing User Warnings

High
Confidence
98% confidence
Finding
A natural-language '/skill/execute' endpoint that directly executes parsed commands is especially risky because arbitrary text can be converted into state-changing actions. In combination with broad command patterns, this creates a powerful prompt-injection and accidental-execution surface for gameplay, marketplace, and account-management operations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill combines local credential access with account-status reporting and action-taking, but does not define data minimization boundaries for secrets or account metadata. In practice, this can lead to over-collection, accidental disclosure of tokens or account details, and use of private account context beyond what is necessary to play the game.

Ssd 3

Medium
Confidence
90% confidence
Finding
The heartbeat routine normalizes maintaining a cross-session local state file that tracks gameplay behavior, activity timing, Elo, streaks, and faction without explicit transparency controls. This creates a persistent behavioral profile and concealed session memory that may exceed user expectations for a game skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.