Lawb Chess

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for on-chain wagered chess, but it gives an agent wallet-transaction and live public-state authority without clear per-action user confirmation.

Review before installing. Use a dedicated low-balance wallet, verify contract and token addresses independently, approve only the exact wager amount, and manually confirm every wallet transaction. Do not let an agent post chat, change profile data, update leaderboard fields, or join wagered games unless the chain, token, amount, opponent, and message content are explicit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs agents to connect wallets, approve tokens, place wagers, and write to a live Firebase game state without an upfront safety gate requiring explicit user confirmation of financial risk and live-state modification. In an agent context, this can lead to unintended on-chain transactions, token approvals, or game actions that spend funds or alter public state based on ambiguous prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal