crafty-controller

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Crafty Controller admin helper, but it gives broad live-server control without enough built-in safety checks.

Install only if you intend to let the agent administer your Crafty Controller. Use a least-privileged API key, avoid superuser tokens unless required, enable TLS certificate verification for non-local use, keep the token out of shared files or chats, and manually confirm any stop, kill, delete, restore, file write, permission, user, role, or config change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger scope is broad enough to activate for generic Minecraft administration requests, which can route users into a high-privilege skill capable of starting/stopping servers, modifying files, and managing users. In this context, unintended invocation increases the chance of dangerous actions being proposed or executed without clear user intent or least-privilege gating.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill prominently documents destructive capabilities such as deleting servers, killing processes, deleting backups, deleting files, and managing users without pairing them with warnings, approval steps, or safety checks. Because this skill is specifically for live infrastructure administration, omission of guardrails materially increases the risk of accidental service disruption or data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal