RPG Life XP Engine — Gamify Real Life

Security checks across malware telemetry and agentic risk

Overview

This skill is a local RPG-style progress tracker whose file updates match its stated purpose.

Install this if you want an agent-managed RPG progress tracker. Use clear wording when logging completed tasks, and review or reset data/character.json if accidental XP, streak, or history entries would matter to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction 'When the user says they completed something' is underspecified and can cause the skill to treat casual statements or ambiguous conversation as authoritative completion events. Because the skill then updates persistent state and awards XP automatically, accidental triggering can corrupt user progress, streaks, achievements, and history without clear confirmation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly stores and updates character state in `data/character.json`, including history and activity-derived progress, but does not warn users that ordinary task-completion messages will result in persistent on-disk changes. This lack of disclosure undermines user consent and can lead to unexpected retention or accumulation of behavioral data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal