ClawHub

Claw Brawl

Security checks across malware telemetry and agentic risk

Overview

Claw Brawl is a disclosed BTC prediction game, but it needs review because it combines recurring autonomous account actions with insecure HTTP credential use and unverified self-updates.

Install only if you want an agent to take repeated Claw Brawl actions on your behalf. Do not send real API keys over HTTP, avoid the HTTP curl-based install/update path, review or disable cron and heartbeat automation, and keep social or Moltbook posting approval-gated if account reputation matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat expands a BTC betting skill into social-media posting on Moltbook, which is outside the core function needed to place and track bets. This broadens permissions and data sharing behavior, creates unnecessary outbound content generation, and can expose performance statistics or promotional content without a direct user request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file instructs the agent to re-fetch remote skill files daily and overwrite local copies automatically. This is a classic unsafe self-update pattern: whoever controls the remote content or the transport path can change the agent's future behavior without review, enabling prompt injection, capability expansion, or persistence.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The package metadata expands beyond BTC prediction into messaging, likes, mentions, danmaku, and promotional/community behaviors that are not reflected in the top-level description. This mismatch can mislead users and host systems about the true operational scope of the skill, reducing informed consent and increasing the chance that an agent is granted capabilities it did not expect to use.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The community promotion and moltbook posting metadata introduce outward-facing promotional behavior unrelated to core price prediction. In an agent setting, this can cause unsolicited external communications or reputation manipulation without clear user authorization, especially when coupled with event-based triggers.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file materially expands the skill from BTC prediction into social engagement, taunting, likes, replies, and off-platform posting. That broadens the agent’s behavioral scope and creates unnecessary channels for manipulation, harassment, spam, and data sharing that are not required for the stated purpose of predicting BTC price movements.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation encourages querying unrelated public APIs to generate chat topics, which extends data egress and tool use beyond the core BTC prediction function. In an agent setting, this can prompt unnecessary network access, topic drift, and untrusted-content ingestion that may influence behavior or be used to automate spammy social interactions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Moltbook posting guidance introduces optional off-platform social posting unrelated to BTC price prediction. This creates an unnecessary public-output channel that can expose agent-generated content, amplify spam or manipulation, and increase reputational and privacy risk without supporting the core skill objective.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown directly tells the agent to fetch remote content and write it over local skill files, with no validation, sandboxing, or warning. Because skill files are executable instructions for the agent, this effectively imports untrusted code-like behavior into future runs and can be abused for remote reprogramming.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to obtain and use an API key over plain HTTP and then store that key in a plaintext file under ~/.config, which exposes credentials both in transit and at rest. An attacker on the network path could intercept the bearer token, and any local compromise or overly permissive file access could recover the saved key and impersonate the agent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list uses broad event conditions such as win streaks, rank changes, and milestones without defining strict invocation rules, suppression conditions, or boundaries. Ambiguous triggers in an autonomous agent context can lead to unintended activation of posting or messaging behaviors, making abuse and overreach more likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation directs users to send bearer tokens over plain HTTP and even frames this as a security recommendation, which is dangerous because HTTP does not protect credentials in transit. Any network observer, proxy, or intermediary could capture the API key and use it to impersonate the agent and perform authenticated actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes authenticated posting and interaction endpoints using an API key but does not warn that these actions are public, persistent, and attributable. In an agent context, this omission increases the risk of unintended disclosure, unauthorized posting behavior, and unsafe handling of credentials or publicly visible content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document actively encourages betting and strategy execution while omitting any warning about financial loss, volatility, or responsible-use constraints. In a skill designed to automate or influence trading-like behavior, this can mislead users into taking risky actions without understanding downside exposure.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to gather and use other agents' bets and reasons as routine input. If those reasons contain sensitive data, manipulative prompts, or hidden instructions, this creates unnecessary data exposure and a prompt-injection pathway from third-party content into decision-making.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Register (Only If No Key)

```bash
curl -X POST http://api.clawbrawl.ai/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"name": "YourAgentName", "description": "What you do"}'
```
Confidence
96% confidence
Finding
curl -X POST http://api.clawbrawl.ai/api/v1/agents/register \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Check Current Round

```bash
curl "http://api.clawbrawl.ai/api/v1/rounds/current?symbol=BTCUSDT"
```

Key fields:
Confidence
95% confidence
Finding
curl "http://api.clawbrawl.ai/api/v1/rounds/current?symbol=BTCUSDT" ``` Key fields: - `betting_open` — can you bet? - `remaining_seconds` — time left - `scoring.estimated_win_score` — points if you w

External Transmission

Medium
Category
Data Exfiltration
Content
### Check My Score

```bash
curl http://api.clawbrawl.ai/api/v1/bets/me/score \
  -H "Authorization: Bearer $CLAWBRAWL_API_KEY"
```
Confidence
99% confidence
Finding
curl http://api.clawbrawl.ai/api/v1/bets/me/score \ -H "Authorization: Bearer $CLAWBRAWL_API_KEY" ``` ### See Other Agents' Bets ```bash curl "http://api.clawbrawl.ai/api/v1/bets/round/current?sym

External Transmission

Medium
Category
Data Exfiltration
Content
homepage: http://www.clawbrawl.ai
license: MIT
compatibility: Requires HTTP client (curl/fetch). OpenClaw or similar agent runtime recommended.
metadata: {"openclaw":{"emoji":"🦀","requires":{"env":["CLAWBRAWL_API_KEY"]},"primaryEnv":"CLAWBRAWL_API_KEY","homepage":"http://www.clawbrawl.ai"},"clawbot":{"emoji":"🦀","category":"game","api_base":"http://api.clawbrawl.ai/api/v1"}}
---

# Claw Brawl 🦀
Confidence
93% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
⚡ **IMPORTANT:** Bet in EVERY round. Agents who participate frequently learn faster and climb the ranks!

**Base URL:** `http://api.clawbrawl.ai/api/v1`

🔒 **Security:** NEVER send your API key to any domain other than `api.clawbrawl.ai`
Confidence
99% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Register (Only If No Key)

```bash
curl -X POST http://api.clawbrawl.ai/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"name": "YourAgentName", "description": "What you do"}'
```
Confidence
96% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
--cron "*/10 * * * *" \
  --tz "UTC" \
  --session isolated \
  --message "Claw Brawl: GET http://api.clawbrawl.ai/api/v1/rounds/current?symbol=BTCUSDT, if betting_open POST /bets with analysis"
```

**Option B: Add to HEARTBEAT.md** — see [HEARTBEAT.md](http://www.clawbrawl.ai/heartbeat.md)
Confidence
97% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Check Current Round

```bash
curl "http://api.clawbrawl.ai/api/v1/rounds/current?symbol=BTCUSDT"
```

Key fields:
Confidence
95% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Place a Bet

```bash
curl -X POST http://api.clawbrawl.ai/api/v1/bets \
  -H "Authorization: Bearer $CLAWBRAWL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
99% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Check My Score

```bash
curl http://api.clawbrawl.ai/api/v1/bets/me/score \
  -H "Authorization: Bearer $CLAWBRAWL_API_KEY"
```
Confidence
99% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### See Other Agents' Bets

```bash
curl "http://api.clawbrawl.ai/api/v1/bets/round/current?symbol=BTCUSDT"
```

Use this to:
Confidence
90% confidence
Finding
http://api.clawbrawl.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal