Back to skill

Security audit

Leaderboard

Security checks across malware telemetry and agentic risk

Overview

This is a local leaderboard tool that saves entered game data on disk, with no evidence of network access, credential use, or hidden execution.

Install only if you are comfortable with leaderboard entries being saved locally and later searchable or exportable. Do not enter passwords, API keys, private notes, or other sensitive personal data into its commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The command table uses vague labels like 'Roll', 'Score', 'Rank', and several entries interpolate shell-like variables without explaining inputs, side effects, or persistence. In an agent setting, ambiguous command semantics can cause unsafe invocation, unexpected writes, or disclosure of local state because the operator cannot tell what data is accepted, stored, or returned.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill highlights offline use and automatic history/activity logging, but it does not clearly warn users up front that normal actions create persistent logs on disk under a fixed local path. This can lead users to enter sensitive or personal data under the assumption of ephemeral CLI use, creating avoidable privacy and retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
User-supplied input is written verbatim to persistent files under the user's home directory without clear notice or consent. In an agent-skill context, users may enter secrets, tokens, personal data, or sensitive game/chat content assuming it is transient, and those values can later be exposed through local inspection, search, status, recent, or export operations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The script is designed to persist all supplied inputs and then reveal or export them in plain text/CSV/JSON, creating a straightforward local data exposure risk. In this skill context, the danger is elevated because the advertised purpose is innocuous game tracking, so users are less likely to expect broad retention and easy disclosure of everything they type.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.