ClawHub

Claw Go

Security checks across malware telemetry and agentic risk

Overview

Claw Go is a real pet/travel game, but it needs Review because it ships real-looking service secrets and can run local scripts that send user-linked voice, media, location, and posts to external services with weak consent boundaries.

Install only after review. The publisher should revoke and replace the bundled secrets, narrow triggers, require explicit confirmation before every social post, disclose voice/media processing, restrict accepted URLs and local file paths, and define controls for memory, retention, deletion, and opt-out.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as a chat game, but its instructions require shell execution, network access, and environment-backed external service calls without declaring permissions. That gap is dangerous because reviewers, users, or policy layers may not realize the skill can execute local scripts, access remote services, and handle media or user data beyond normal in-chat gameplay.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior extends beyond a pet/travel game into external posting, audio transcription from files/URLs, remote media handling, and provider-backed image/TTS/STT operations. Description-behavior mismatch is security-relevant because it conceals the true attack surface and data handling, increasing the chance of unreviewed exfiltration, unsafe file processing, or unauthorized outbound actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to publish content to an external social feed, including identifiers, location, body text, image references, and audio references. This creates a real risk of unintended data disclosure or cross-system posting from casual in-game prompts, especially because the skill is framed as entertainment rather than external publishing.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs the agent to execute local scripts for media generation and audio transcription, including processing local paths or remote URLs. This broadens the attack surface to shell execution, file access, URL fetching, and potentially unsafe media parsing, which is materially riskier than ordinary chat-game logic.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill expands from an in-chat pet/travel game into posting user-generated content to an external social feed, including identifiers, profile fields, location, body text, media refs, and audio refs. That creates a real data-exfiltration and unintended third-party publication risk, especially if publishing can be triggered from ordinary chat without a separate consent and confirmation step.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The prompt instructs the agent to use an exec tool to run multiple local Node scripts with user-influenced arguments, including transcript input, media generation, and social posting. Even though the commands are templated, this materially increases risk of command/argument injection, unsafe file/path handling, SSRF via URLs, and privilege expansion beyond what a simple chat game should need.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script posts companion content to an external social service and returns public post URLs, which materially expands the data-sharing behavior beyond a local pet/travel-game experience. In a game skill context, undisclosed publication of user-associated content, location, and media creates privacy and consent risk, especially because the behavior is implemented as a direct backend action rather than an explicitly confirmed export flow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The collision feature reveals that another user is in the same location and shares links to that user's post and a collision event, creating cross-user discovery without clear consent controls. In a companion-game skill, correlating users by shared city/location raises privacy and stalking concerns because it exposes relationship data between otherwise unrelated users.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script accepts arbitrary HTTP/HTTPS URLs and fetches them server-side before uploading the resulting audio to a transcription service. In a pet-game skill, this capability is not clearly justified and creates a server-side request surface that could be abused for unintended network access, data ingestion, or privacy violations if untrusted input reaches this utility.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger conditions are excessively broad and include implied intent matching for many ordinary phrases, making accidental invocation likely. In this skill, unintended activation is more dangerous because activation can lead to media generation, transcription, external posting flows, and other side effects beyond harmless text responses.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using the generic word 'buddy' as a plain-text trigger is unsafe because it commonly appears in normal conversation unrelated to this skill. Since the skill can do more than simple chat responses, a false activation could expose user context to game logic or initiate broader workflows unexpectedly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Aliases such as '摸摸', 'selfie', or similarly generic everyday terms are too common to be safe global triggers. In a capability-rich skill, generic words increase the chance of unintended state changes or invocation of media-related paths without deliberate user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Intercepting broad version-related queries like 'version' or 'is this latest' can hijack unrelated user requests and route them into this skill. This is primarily an invocation-safety issue, but it becomes more significant here because the skill also contains nontrivial execution and outbound capabilities.

Vague Triggers

High
Confidence
95% confidence
Finding
The instruction to activate immediately whenever 'clawgo' or '虾游记' appears anywhere in a message is an overbroad routing rule that can hijack unrelated conversations. In context, this is more dangerous because activation unlocks media generation, transcription, and external posting behavior, so a stray keyword could trigger sensitive side effects or tool use unexpectedly.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The plain-text trigger list includes broad phrases like 'buddy' and requests to start or continue the pet, which are common conversational terms and can cause accidental routing. In this skill, mistaken routing is not merely cosmetic because it can lead to persistence, media workflows, transcription, or downstream external actions being invoked under the wrong context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The contract explicitly sends user_id and preference-like memory tags to a backend memory endpoint, but the spec contains no consent, disclosure, retention, or deletion requirements. In a companion/pet skill with personalization and memory-based behavior, this increases privacy risk because behavioral preference data can be collected and linked to a persistent identifier without clear user awareness or control.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The media and TTS APIs transmit user-linked content, including user_id and companion/story context, to external generation services without any stated notice, consent flow, or data-handling constraints. Because this skill proactively generates personalized travel stories, images, and voice updates, users may not realize their content is being sent off-device or to separate services, creating privacy and data-sharing concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file specifies automatic transcription of inbound voice attachments and downloadable audio URLs, but it does not require notice, consent, or clear handling rules for sensitive voice data. Because voice messages may contain biometric identifiers, private conversations, or bystander audio, silently sending them for transcription creates a real privacy and data-governance risk, especially in a consumer companion game context where users may not expect backend processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document defines external image, TTS, and STT provider configuration and a real runtime flow that can send user prompts, voice content, and generated context to third-party services, but it omits any requirement to inform users or constrain data sharing. In this skill, personalization, memory, companion state, and user language can increase the sensitivity of transmitted content, making undisclosed third-party processing a meaningful privacy vulnerability.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Accepting the standalone trigger `buddy` is a real routing vulnerability because it is a common conversational word and can cause accidental invocation of this skill in unrelated chats. In this skill's context, that broad trigger is especially risky because activation can read stored state, generate proactive pet/game responses, and potentially call downstream media or entitlement components without the user clearly intending to use the game.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Parsing `buddy` as a standalone command without scope constraints creates ambiguous command handling and makes unintended activation likely. Because this skill can mutate state (`pet`, mute/unmute), reveal companion status, and trigger user-specific content, ambiguous parsing can lead to privacy-impacting or confusing actions from ordinary conversation rather than explicit game commands.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-influenced content, including the voice script and generated image prompt, to third-party image and TTS endpoints. In a companion/pet skill, that can expose personal or sensitive user text, destinations, or profile-derived companion attributes to external providers without any visible consent, minimization, or disclosure at this layer.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally deletes the existing target skill directory with rm -rf before copying the new version, with no confirmation, backup, or validation that the destination is safe. If the operator supplies an unexpected target path or already has local modifications, this can cause irreversible data loss and overwrite an installed skill state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends author identifiers, display name, handle, location, body text, and optional image/audio data to a remote internal API, but the code contains no confirmation, notice, or minimization step. For a game skill, silent transmission of user content and media off-platform is privacy-sensitive and can lead to unintended disclosure or retention of personal data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends audio content to an external third-party API for transcription without any built-in disclosure, consent check, or visible warning to the user. If used on user voice messages, this can expose sensitive personal data or conversations to an external processor, which is especially risky in a consumer-facing companion game context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal