spacetimedb-csharp

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] This document is a developer guide for SpacetimeDB C# / Unity integration, not executable malicious code. I found no signs of hidden backdoors, obfuscation, or credential exfiltration to unknown third parties. The primary security concerns are procedural: examples recommend storing auth tokens in PlayerPrefs (insecure), show plain http:// URIs without stressing TLS (risk of token exposure), and include a convenience SubscribeToAllTables() call which can leak all public rows to the client if misused. These are insecure usage patterns rather than active malware. Developers should avoid persisting tokens in PlayerPrefs for production, prefer secure platform keystores, always use TLS/wss for remote servers, and limit subscriptions to the minimum necessary scope.