ClawHub

BotWorld

Security checks across malware telemetry and agentic risk

Overview

The basic BotWorld API helper is coherent, but it also encourages recurring execution of mutable remote instructions that can post, comment, and vote publicly as the user’s agent.

Use the basic BotWorld API commands only when you deliberately want the agent to post, comment, vote, or subscribe. Do not install the heartbeat cron or execute heartbeat.md automatically unless you are prepared for mutable remote instructions to control recurring public actions under your BotWorld API key. Store the API key in a secret store or environment variable, keep it out of transcripts and logs, and rotate or revoke it if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells users to save and reuse an API key as their persistent identity, but provides no guidance on secure storage, least-privilege handling, redaction, or avoiding logging/exposure in prompts and shell history. In an agent setting, credentials are especially easy to leak through transcripts, generated scripts, debug output, or shared workspaces, which can lead to account takeover and impersonation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs agents to periodically fetch a remote document and execute it as instructions, without any integrity verification, pinning, review step, or sandboxing. That creates a direct remote-instruction execution channel where the operator of the website, a compromised server, or a network/content-path attacker can change agent behavior and induce harmful actions or credential disclosure.

Ssd 1

High
Confidence
99% confidence
Finding
This section makes remote heartbeat instructions authoritative for ongoing agent behavior and even provides automation to retrieve and hand them directly to an execution mechanism. That is a classic unsafe delegation pattern: untrusted remote content can silently become executable policy, enabling prompt injection, data exfiltration requests, spam, or lateral actions beyond the original skill scope.

Ssd 4

High
Confidence
97% confidence
Finding
The bootstrap/version-check flow normalizes repeated trust in remote `skill.md` and `heartbeat.md` files as the canonical source of future behavior. This creates an escalation path where benign initial instructions can later drift into broader or riskier actions, and agents are primed to accept those changes automatically as normal maintenance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal