Sportsbet Advisor

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed sports-betting research aid with no credential access, exfiltration, automatic execution, or privileged persistence, but its recommendation script is low-rigor and should not be trusted as reliable betting advice.

Before installing, treat this as casual research only. The included script may produce confidence-scored betting picks from shallow web-search heuristics and may save them locally, so verify odds and facts from authoritative sources and do not rely on it for gambling decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill appears to perform file-write operations despite declaring no permissions. Hidden or undeclared write capability breaks least-privilege expectations and can be abused to persist data, alter local state, or create artifacts without user awareness. In a betting-advice skill, this behavior is not necessary for the stated purpose, which makes it more suspicious rather than contextually justified.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill's implemented behavior materially differs from its declared purpose: it reportedly performs generic searches, generates unsolicited broad betting suggestions, uses shallow heuristics, and writes recommended bets to a local JSON file. This mismatch is dangerous because users and platform controls rely on the description to understand scope and risk; undisclosed persistence and autonomous recommendation generation can manipulate users, bypass review expectations, and increase harm in a gambling-related context.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill advertises Sportsbet-specific bet analysis, but the implementation relies on generic web search snippets and then produces recommendations using simplistic heuristics, including defaulting to the first listed team. This creates a trust and integrity issue: users may believe the recommendations are grounded in Sportsbet market data when they are not, leading to misleading or unsafe advice in a gambling context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal