Back to skill

Security audit

Ai Game

Security checks across malware telemetry and agentic risk

Overview

This is a coherent game-AI news aggregation skill that uses public web/RSS sources and local cache files, with some quality and routing caveats but no evidence of malicious behavior.

Install only if you are comfortable with a skill that runs a Python news-fetching script, contacts multiple public RSS/API sources, and updates local cache files. Treat generated reports as curated but not authoritative, since some included items may be only loosely related to game AI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to read local files, potentially write cached data, and make network requests, but it declares no permissions or trust boundaries. That mismatch can lead to over-privileged execution, unreviewed external access, and unexpected file-system interactions when the skill is invoked.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is explicitly scoped to game-industry AI news, but this dataset includes several general AI/agent infrastructure posts from Google Developers Blog and a broader film/AI article from IGN that are not clearly tied to games. This creates a scope-integrity problem: users may receive irrelevant or misleading results under a game-specific skill, reducing trust and potentially causing downstream agent behavior to cite off-topic content as game-industry intelligence.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is supposed to provide game-industry AI news, but it includes broad AI industry items that are not clearly tied to gaming. This can cause the skill to return irrelevant or misleading content, undermining user trust and potentially causing downstream systems to make incorrect routing or summarization decisions based on out-of-scope data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README instructs the agent to trigger on very broad phrases like "游戏 AI" and strongly emphasizes avoiding under-triggering. In a skill-routing system, overly broad activation criteria can cause the skill to intercept loosely related requests, leading to misrouting, reduced answer quality, and unnecessary retrieval from external sources when the user intent is ambiguous.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger guidance is intentionally broad and says the skill should activate even for very short or ambiguous phrases such as '游戏 AI'. That increases the chance of the agent invoking a networked, file-reading skill without sufficient user intent confirmation, causing unnecessary external queries and reducing routing integrity.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Telling the agent '不要 undertrigger' without hard boundaries pressures it to prefer invocation over caution. In this skill, that matters because invocation leads to script execution and network access, so vague routing language can become a pathway to unnecessary data access and unintended tool use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.