Back to skill

Security audit

Yumfu

Security checks across malware telemetry and agentic risk

Overview

YumFu is a real multiplayer RPG skill, but it needs review because it defaults to broad chat-triggered gameplay, persistent full-session logging, storybook export, and optional scheduled background updates.

Install only if you are comfortable with a chat RPG that keeps local saves, generated media, and default-on storybook logs of gameplay conversations. In group chats, use an explicit /yumfu session boundary, warn participants that turns may be logged and exported, disable storybook tracking or set YUMFU_NO_LOGGING=1 when privacy matters, and enable daily evolution only if you want scheduled background messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The file documents capabilities that go beyond simple gameplay: persistent session logging, canonical storybook generation, image copying, and later export/delivery. Even if intended as a feature, this expands the skill's effective data-handling scope and can surprise users or platform reviewers if the manifest only presents the skill as a gameplay experience.

Description-Behavior Mismatch

Low
Confidence
71% confidence
Finding
The workflow says gameplay is automatic, but also describes manual or auxiliary export and delivery steps such as generating HTML and sending it to users. This mismatch is mainly a transparency and scope-governance issue: operators may perform content export actions not clearly reflected in the declared skill behavior.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document makes absolute security claims such as 'No arbitrary code execution' and 'exec() with user input - Never used' while earlier acknowledging that SKILL.md contains exec()-based shell command examples. Contradictory security documentation can mislead reviewers and operators into underestimating real injection risk, causing unsafe patterns to remain deployed or copied into implementations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The daily evolution feature enables proactive scheduled messaging and background state processing beyond normal user-initiated gameplay. That expands the attack surface by allowing the skill to act later, potentially spamming users, leaking stored context, or continuing behavior after expectations of a passive tool.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill mandates automatic session logging and storybook generation of player inputs, AI outputs, and images, which goes beyond what a typical game description implies. This is dangerous because it creates durable records of conversations and media that may contain sensitive content, with opt-out rather than informed opt-in.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation introduces automatic per-turn logging and full conversation retention, which is materially broader than the skill's manifest description of multiplayer RPG gameplay. This creates an undeclared data collection behavior that can surprise users and operators, increasing privacy and compliance risk if sensitive chat content is captured by default.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file documents exporting session data into shareable HTML/PDF artifacts, a data egress capability not described in the manifest. Packaging complete sessions into portable files increases the chance of accidental oversharing, unauthorized redistribution, or exposure of private player content outside the original chat context.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
Mandating log_turn() after every action establishes comprehensive collection of player inputs and model outputs without corresponding disclosure in the gameplay-focused manifest. This is dangerous because it normalizes blanket retention of user-provided natural language, which may include personal or sensitive information unrelated to gameplay.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The example uses dynamic code execution via exec() to launch a Python command, which is unsafe and unnecessary for gameplay setup. If world_id or user_id can be influenced upstream, this pattern can enable command/code injection, and even as documentation it normalizes a dangerous implementation approach in a skill that should only need deterministic game logic.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document specifies persistent save, backup, and emergency-fallback storage locations and behavior that are not part of the user-facing gameplay description. This expands the skill’s operational scope into local data persistence and retention, increasing privacy and data-handling risk if agents store user identifiers or game state without clear disclosure, minimization, or retention controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference instructs agents to invoke local subprocesses to perform save/load operations, creating a capability boundary crossing from conversational logic into host-level command execution. Even though the examples use fixed script paths, normalizing subprocess use in skill docs can enable unsafe agent patterns, increase attack surface, and lead to misuse of local resources or execution of unintended commands in less-controlled integrations.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This script disables cron jobs and mutates persisted sidecar state, capabilities that are more administrative than gameplay-oriented. In a skill advertised as a multiplayer RPG, hidden maintenance functionality increases risk because it can alter scheduler state and user data without that power being clearly justified or constrained in the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script exercises scheduler-control capability by loading a cron identifier, disabling it, and then updating state to mark the feature disabled. In the context of an RPG skill, this privileged control path is more dangerous because it extends beyond normal gameplay into host task management, creating an avenue for denial of service against scheduled game functions if exposed to untrusted callers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The image resolver accepts an image reference from session events and, if that path is not present, recursively searches several unrelated local media/output directories for fuzzy filename matches. In a multi-user or shared host environment, attacker-controlled session data could cause the storybook export to pull arbitrary local images from outside the current session, embedding them into the generated HTML and leaking local data to the user or browser.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The --check-all path enumerates every world directory for an arbitrary user ID and returns whether a save exists plus character name, level, location, and last-played metadata. That broadens the capability from loading one known save to profiling a user's activity across all game worlds, which can leak private gameplay presence and enable user enumeration if exposed to other users or agents.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example phrases for starting the game are broad, ordinary-language utterances that an agent could plausibly encounter in regular conversation. Without a clearly scoped invocation boundary, the skill may activate unintentionally and hijack the interaction flow, especially in group or mixed-context chats where users discuss games casually.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documentation says users do not need commands and can interact in free-form natural language, but it does not define a strict boundary between ordinary chat and in-game commands. In a multiplayer or chat-integrated setting, this ambiguity can cause prompt/intent confusion, accidental skill activation, or misinterpretation of normal conversation as game actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented design stores full user inputs, AI responses, and optional images in persistent session logs without any visible user warning, consent flow, retention limit, or privacy notice. In a group Telegram RPG context, this can capture sensitive or third-party content and make later reuse or exposure of conversations more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow mandates automatic logging every turn and frames it as required for future storybook completeness, but does not disclose the privacy consequences in this file. This creates a default-surveillance behavior where users may reasonably believe they are just playing a game while their full interaction history is being archived.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README frames the skill as operating through natural language inside chat surfaces, which can cause the host agent to treat ordinary conversation as game input. In shared chats, ambiguous trigger scope increases the risk of unintended activation, prompt collisions, and accidental processing of bystander messages as commands or gameplay actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Saying users can 'just chat' in Telegram groups without slash commands or scope limits is dangerous in a multiplayer group setting because unrelated group messages may be ingested as game actions. That creates cross-user confusion, unauthorized actions on behalf of users, and increased prompt-injection surface from any participant in the room.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documentation explicitly encourages users to 'just talk' to the agent and implies the agent will infer gameplay intent from arbitrary natural language. In agent-integrated environments, this broad trigger model can lead to unintended tool use, message capture, and manipulation by surrounding conversational context rather than deliberate game input.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README discloses persistent storage of saves, generated images, and session logs for storybook generation, but it does not clearly warn users that chat-derived content may be retained and later republished or shared. In a multiplayer chat game, this can capture sensitive or unexpected user content and create privacy and consent issues, especially when logs become storybooks, HTML demos, or media artifacts.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Automatic language preference detection processes behavioral/user-generated content to infer a user attribute without explicit opt-in. In a multiplayer Telegram RPG context, this can become more sensitive because it profiles users from prior messages and may affect how they are tracked or segmented, especially if the detection is persisted in sidecar state or used silently.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill instructs the agent to treat broad natural-language utterances and even single-letter replies like 'B' as gameplay turns, which can capture ordinary conversation in group chats. This is dangerous because it can trigger save loads, image generation, TTS, logging, and persistence without clear invocation, especially in shared channels where ambiguous messages are common.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.