UAPI 查询 Steam 用户接口

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent read-only helper for looking up Steam public profile summaries through UAPI, with a minor routing caution around broad trigger wording.

Install this only if you want your agent to query Steam profile summaries through uapis.cn. Confirm the user request is specifically about a Steam user before invocation, and do not pass a Steam Web API key unless necessary for that request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger keyword "summary" is excessively generic and can match many unrelated user requests, causing the agent to invoke this Steam-specific skill when the user intended something else. In a routing system, overbroad triggers can lead to incorrect tool selection, unintended data lookups, and disclosure of third-party profile information in contexts unrelated to Steam.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The invocation guidance says to use the skill when the request "directly corresponds" to querying a Steam user, but it does not define exclusion conditions or boundary cases. This ambiguity increases the chance of accidental misrouting to the endpoint, especially when user requests are only partially related to gaming, profiles, or summaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal