player-avatar
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill exclusively uses official Decentraland SDK modules and platform APIs.\n
- Evidence: Imports from @dcl/sdk/ecs, @dcl/sdk/math, and @dcl/sdk/src/players are standard and trusted libraries for this ecosystem.\n- [DATA_EXFILTRATION]: The skill accesses player wallet addresses (userId) and names.\n
- Ingestion: Data is retrieved through the getPlayer() SDK function as described in SKILL.md.\n
- Evidence: The accessed data is used locally for avatar attachments and proximity logic.\n
- Conclusion: There is no evidence of network exfiltration to external or untrusted domains; all operations remain within the local scene runtime.\n- [PROMPT_INJECTION]: The skill exposes surfaces for processing untrusted player data (names) which could be used for indirect injection.\n
- Ingestion points: The player.name property accessed in getPlayer().\n
- Boundary markers: None present in the provided code snippets.\n
- Capability inventory: Includes movePlayerTo and triggerEmote via the RestrictedActions system.\n
- Sanitization: No sanitization is implemented in the reference code; however, the usage is restricted to standard platform logs and logic.
Audit Metadata