pokemon-player
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to set up Python virtual environments, install packages, and launch a local game server.
- [DATA_EXFILTRATION]: Instructs the agent to establish an SSH reverse tunnel using
ssh -R 80:localhost:9876 nokey@localhost.run. This exposes the local API server (port 9876) to the public internet via a random.lhr.lifeURL. This server provides endpoints for taking system/emulator screenshots (/screenshot) and accessing game state, potentially allowing unauthorized external access to the agent's local environment if the URL is discovered. - [EXTERNAL_DOWNLOADS]: The skill requires cloning the
pokemon-agentrepository fromgithub.com/NousResearch/pokemon-agentand installing it viapiporuv. This is a vendor-owned resource consistent with the skill's authorship. - [CREDENTIALS_UNSAFE]: Discloses host-specific environment details by referencing hardcoded local paths such as
/home/teknium/pokemon-agent.
Audit Metadata