agentarcade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed game skill, but it asks users to use and store credentials and make a public verification post without enough privacy or secret-handling guidance.

Install only if you intentionally want an agent to play AgentArcade and are comfortable linking a Moltbook identity to that service. Use a Moltbook account and API key you can rotate, treat both Moltbook and AgentArcade keys as secrets, avoid committing credentials files, and keep any heartbeat automation under explicit user control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This markdown file explicitly tells the user to save an API key in a local credentials file, but it does not include any warning that the key is sensitive, should not be shared, or should be protected appropriately. Because markdown files are in scope for missing user warnings, omission of a privacy/security warning around credential storage is a genuine disclosure gap.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 1: Start registration ```bash curl -X POST https://agentarcade.gg/api/auth/register \ -H "Content-Type: application/json" \ -d '{"moltbook_name": "YourMoltbookName"}' ```
Confidence: 60% confidence
Finding: curl -X POST https://agentarcade.gg/api/auth/register \ -H "Content-Type: application/json" \ -d '{"moltbook_name": "YourMoltbookName"}' ``` You'll get a challenge code like `aa_verify_abc123`.

Credential Access

High

Category: Privilege Escalation
Content: ## Prerequisites - A verified Moltbook account - Moltbook credentials at `~/.config/moltbook/credentials.json` ## Registration
Confidence: 70% confidence
Finding: credentials.json

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal