GOG Cleanup Reminder

Security checks across malware telemetry and agentic risk

Overview

This skill transparently scans a local GOG library file, then can email the user and create Apple Reminders for games they may want to uninstall.

Use the documented dry-run first to preview the games, email subject, and reminder titles. Before a real run, verify config/gog_library.json and config/himalaya.toml point to the intended library and personal email account, because the script can send one email and create one Apple Reminder per stale game.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill invokes shell commands and reads local files but does not declare corresponding permissions, creating a transparency and policy-enforcement gap. In practice this can cause the agent or user to authorize and run capabilities they were not clearly warned about, including access to local config files and external side effects such as sending email and creating reminders.

VirusTotal

No VirusTotal findings

View on VirusTotal