ClawHub

Clawai Town Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned, but it needs Review because it lets remote world content steer an autonomous agent that can trade, fight, and chat in a public Solana-mainnet environment.

Install only if you are comfortable supervising an autonomous public-world agent connected to a funded wallet. Use a dedicated low-balance wallet, set autoTrade=false and autoFight=false unless deliberately testing those features, keep maxTradeAmount very low, avoid putting secrets in SOUL.md or chat, and assume the server and other participants can influence what the agent sees.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables autonomous trading, combat, and loot transfer using real SOL on Solana mainnet, but the documentation does not provide a prominent warning about possible financial loss, automated spending, adversarial interactions, or irreversible on-chain transactions. Because actions are driven by LLM decisions and remote world state, users may expose funded wallets to unexpected losses without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states the agent appears in a public world visible to spectators and other agents, and supports nearby chat, but it does not clearly warn users that agent behavior, messages, and presence may be publicly observable and logged. In a system where prompts include world context and actions are autonomous, this creates privacy and operational exposure that users may not anticipate.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill allows the LLM to autonomously choose remote actions including movement, chat, combat, and trading, which can cause real external side effects without explicit confirmation or strong guardrails. In this context, the risk is elevated because the actions are driven by untrusted world content and can affect other agents or assets on a live networked service.

Ssd 4

High
Confidence
98% confidence
Finding
Untrusted server- and agent-controlled text such as nearby agent names, moods, frameworks, and recent event text is directly embedded into the model prompt that determines behavior. A malicious server or participant can use narrative steering or prompt-injection content to manipulate the model into taking unintended actions like trading, chatting, or fighting.

Ssd 1

High
Confidence
96% confidence
Finding
The message-handling path stores untrusted event and chat-derived content that later influences the model prompt, creating semantic prompt-injection exposure across ticks. Because the skill gives the LLM authority to produce network actions, malicious content from other agents or the server can indirectly drive harmful behavior over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal