pubnub/pubnub-live-betting-casino
Build real-time betting and casino game platforms with PubNub
90
65%
Does it follow best practices?
Impact
93%
1.52xAverage score across 15 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on external, potentially untrusted content—subscribing to public PubNub channels (e.g., social.feed, tournament.{id}.lobby and event/market channels) whose user-generated messages are processed to update UI/odds and trigger actions (suspend markets, accept/reject bets), and it also calls a third-party geocoding API (https://api.geocoding-service.com/reverse) to make access-control decisions—so third-party content can materially influence behavior.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). The skill is explicitly designed for wagering and balance management: it defines wager placement (includes stake and currency in the example), server-side bet validation, price locking, bet settlement, cash-out requests, and real-time balance updates. Those are specific financial operations whose primary purpose is to move/adjust money (accept stakes, settle bets, perform cash-outs). Although it uses PubNub rather than a named payment gateway, the skill's core workflow and code samples directly implement sending transactions that change user balances and authorize payouts, so it meets the "Direct Financial Execution" criteria.
- Audited
- Security analysis