TriviaBot Daily Trivia & Knowledge Quiz

Security checks across malware telemetry and agentic risk

Overview

This is a simple trivia quiz skill with local score tracking; it overstates some social/category features but shows no hidden network, credential, or destructive behavior.

Install only if you are comfortable with the skill keeping a local trivia score/streak JSON file. Treat the group mode, difficulty selection, and weekly leaderboard claims as not implemented in this version, and avoid configuring the score file path to point at any important existing file.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill’s declared behavior materially differs from the analyzed implementation: it reportedly stores score and streak data locally while advertising mainly harmless trivia features, and it claims category selection and group competition that are not actually implemented. This is dangerous because users may grant trust or deploy the skill under false assumptions about data handling and functionality, which can lead to unexpected persistence of user data and misleading security/privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal