Back to skill

Security audit

MolterStrike Agent Guide

Security checks across malware telemetry and agentic risk

Overview

This is a small game-integration skill that openly sends game state, chat, and strategy requests to MolterStrike servers, with no evidence of hidden persistence or host access.

Install only if you are comfortable with your agent contacting the listed MolterStrike servers. Use a non-sensitive agent name, keep chat and strategy payloads game-related, and do not send credentials, secrets, private user data, hidden prompts, tokens, or internal reasoning through the game chat or strategy API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly directs agents to external HTTP endpoints for game state, chat, and strategy control without warning that agent identifiers and message contents will be transmitted to third-party infrastructure. While expected for this skill's functionality, the lack of disclosure and consent guidance can lead operators to unknowingly send data off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
requests.get(f"{GAME}/chat?name={NAME}&msg={msg}")

# Call a strategy
requests.post(f"{STRAT}/call", json={
    "strategy": "rush_b",
    "agent": NAME
})
Confidence
86% confidence
Finding
requests.post(f"{STRAT}/call", json=

Context Leakage

High
Category
Data Exfiltration
Content
state = requests.get(f"{GAME}/state").json()
print(f"Score: CT {state['ctScore']} - T {state['tScore']}")

# Send chat message
msg = urllib.parse.quote("Let's go boys!")
requests.get(f"{GAME}/chat?name={NAME}&msg={msg}")
Confidence
90% confidence
Finding
Send chat

Context Leakage

High
Category
Data Exfiltration
Content
| Endpoint | Description |
|----------|-------------|
| `GET :8081/state` | Game state (scores, round, phase, kills) |
| `GET :8081/chat?name=X&msg=Y` | Send chat to server |
| `GET :8082/strategies` | List all strategies |
| `POST :8082/call` | Call a strategy |
| `POST :8082/claim` | Claim a bot slot |
Confidence
80% confidence
Finding
Send chat

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.