ClawHub

Rock Paper Scissors Lizard Spock Game

Security checks across malware telemetry and agentic risk

Overview

This is a local game skill that stores a small gameplay stats file, with no evidence of credential access, exfiltration, or destructive behavior.

Install only if you are comfortable with the terminal version creating ~/.rpsls_stats.json to remember gameplay history. Prefer installing rich in a virtual environment instead of using --break-system-packages, and delete ~/.rpsls_stats.json if you want to clear the saved stats.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The skill instructs creating a persistent stats file in the user's home directory and reading it on startup. While this is limited to gameplay metadata, it introduces unnecessary local data storage and filesystem access for a simple entertainment skill, which creates privacy and data-retention concerns if done without explicit consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example advertises automatic saving of gameplay statistics to a file in the user's home directory without clearly disclosing persistence, retention, or local privacy implications. While the stored data appears low sensitivity, silent persistence can surprise users, create unwanted local traces, and normalize writing user data to disk without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows reading a local file from the user's home directory to display statistics, but it does not include a clear disclosure or consent step about accessing local user data. Even though the file is application-specific and likely low sensitivity, silent local-file access is a risky pattern because it can erode user expectations around privacy and data boundaries.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README states that gameplay statistics are automatically saved to ~/.rpsls_stats.json, but it does not clearly frame this as persistent local data storage with privacy implications or provide opt-out guidance. While the stored data appears low sensitivity, undocumented persistence can surprise users on shared systems and may expose play history or behavioral patterns to other local users if file permissions are weak.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill advertises persistent statistics storage but does not give a prominent user-facing warning before creating the local file. Even low-sensitivity data should not be silently persisted, because users may not expect an entertainment skill to write to disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal