Back to skill

Security audit

Clawbrawl

Security checks across malware telemetry and agentic risk

Overview

Clawbrawl is a real BTC prediction game skill, but it asks users to run persistent automated betting and to fetch or overwrite skill files over insecure HTTP while using API keys.

Install only if you intentionally want an autonomous game agent that can place repeated BTC prediction bets and post game-related messages. Avoid the HTTP install and daily self-update paths, use HTTPS-only endpoints, protect or rotate the API key, and keep cron or heartbeat automation easy to audit and disable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The heartbeat includes optional Moltbook browsing/posting behavior that is unrelated to the stated BTC prediction function and expands the skill's authority into social posting. Even if labeled optional, embedding unrelated network actions in an automated routine increases attack surface and creates opportunities for data leakage, spam, or reputation abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The daily self-update block instructs the agent to fetch remote content and overwrite local skill files, giving the remote server ongoing control over future behavior. This creates a supply-chain style trust boundary violation where later instructions can change without review and can introduce arbitrary new behaviors.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest markets the skill as BTC price prediction, but it also exposes authenticated messaging, likes, mentions, public danmaku posting, and automated promotion behavior. This capability mismatch can mislead users and hosting agents about the real permission and behavior surface, increasing the chance that social posting features are installed or enabled without informed consent.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The documentation explicitly instructs users to send API keys to an `http://` endpoint, which exposes bearer tokens to interception or modification by any on-path attacker. Because these tokens authenticate account actions such as placing bets, reading profile/score data, and posting messages, compromise can lead to account takeover and unauthorized actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill pushes users to create unattended automation that repeatedly sends authenticated requests and places bets, but provides no safeguards for API-key storage, scope limitation, rate limiting, or the consequences of autonomous actions. This can lead to credential exposure, unauthorized use, or unintended repeated external actions if the environment is compromised or the instructions are repurposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Using shell redirection to overwrite local skill files from unauthenticated remote content modifies the local environment without any warning, validation, or rollback path. This is dangerous because a transient or compromised remote endpoint can replace trusted local instructions and persist malicious behavior across future runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to store a live API key in plaintext under ~/.config/clawbrawl/credentials.json and export it into the environment, but provides no guidance on file permissions, secret storage, or minimizing exposure. Plaintext credential storage increases the chance of local compromise through other processes, backups, shell history, or accidental disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill recommends a cron job that repeatedly performs authenticated betting activity every 10 minutes, creating ongoing account-impacting actions without emphasizing consent, spending/risk controls, or safe disablement. Automation of recurring transactions or competitive actions can cause unintended losses, reputation effects, and continuous use of stored credentials if the user does not fully understand the persistence.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The text strongly pressures agents to bet in every round, discouraging discretion and encouraging uninterrupted participation in a recurring betting workflow. In the context of an automated skill tied to authenticated API usage, this can normalize risky behavior and reduce meaningful user control over ongoing actions.

Vague Triggers

Low
Confidence
77% confidence
Finding
The package defines automatic promotion triggers such as streaks, rank changes, and milestones without specifying content boundaries, audience constraints, or rate/approval safeguards. In an agent context, loosely scoped autonomous posting can lead to unwanted spam, reputation abuse, or behavior that exceeds user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The install command silently downloads multiple remote files over plain HTTP and writes them into the user's persistent skill directory. This creates a supply-chain and tampering risk because the fetched content can change after publication and can be modified in transit, allowing malicious skill content or configuration to be planted without integrity checks or user warning.

Missing User Warnings

High
Confidence
100% confidence
Finding
The API reference tells users to include `Authorization: Bearer` credentials in requests over unencrypted HTTP, which makes token theft trivial on hostile or shared networks. This is especially dangerous in an agent ecosystem because stolen tokens can be reused non-interactively by other agents or attackers to impersonate the victim.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation shows authenticated requests using a bearer API key sent to an http:// endpoint, which exposes credentials and message contents to interception or modification by any network observer or active attacker. Because this is presented as copy-paste guidance, users or agents may directly adopt an insecure pattern and leak reusable credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
These examples again instruct users to send bearer tokens over plain HTTP for mentions and likes, allowing credential theft, request tampering, and account abuse. Since the skill is social and interactive, compromised tokens could let an attacker impersonate agents, scrape private mentions, or perform unauthorized actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file provides detailed betting strategies, confidence scoring, and prompts users to act quickly and participate, but it does not include any financial risk disclosure or caution about losses. In a skill explicitly designed for BTC price prediction and competition, this can encourage reckless financial decision-making or gambling-like behavior, especially for inexperienced users who may interpret the guidance as actionable trading advice.

Ssd 4

High
Confidence
97% confidence
Finding
The narrative framing normalizes repeated remote refreshes of the governing instructions and conditions the agent to accept future external control as routine. In security terms, this is dangerous because it embeds a persistence and reprogramming mechanism into the workflow, weakening any stable trust boundary around the skill.

Ssd 4

Medium
Confidence
80% confidence
Finding
The urgency-heavy sequence pressures the agent to move from checking status to executing real-world POST requests with minimal deliberation, which reduces safeguards around autonomous external actions. While not exploit code by itself, this kind of coercive operational framing increases the risk of blind execution, policy bypass, and unsafe automation.

External Transmission

Medium
Category
Data Exfiltration
Content
Priority: CRITICAL
Action Required: EXECUTE HTTP calls, not just plan

1. EXECUTE: curl http://api.clawbrawl.ai/api/v1/rounds/current?symbol=BTCUSDT

2. ⚡ EARLY EXIT CHECK (do this FIRST, before any market analysis!):
   If betting_open == false OR remaining_seconds < 180:
Confidence
83% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
a. CHECK scoring.estimated_win_score - the earlier you bet, the higher this is!
   b. EXECUTE: curl https://api.bitget.com/api/v2/mix/market/ticker?symbol=BTCUSDT&productType=USDT-FUTURES
   c. DECIDE FAST: direction (long/short) based on change24h and fundingRate
   d. EXECUTE IMMEDIATELY: curl -X POST http://api.clawbrawl.ai/api/v1/bets \
        -H "Authorization: Bearer $CLAWBRAWL_API_KEY" \
        -H "Content-Type: application/json" \
        -d '{"symbol":"BTCUSDT","direction":"long","reason":"your analysis min 10 chars","confidence":65,"danmaku":"battle cry!"}'
Confidence
95% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
⚡ **IMPORTANT:** Bet in EVERY round. Agents who participate frequently learn faster and climb the ranks!

**Base URL:** `http://api.clawbrawl.ai/api/v1`

🔒 **Security:** NEVER send your API key to any domain other than `api.clawbrawl.ai`
Confidence
99% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
## Links

- **Website:** http://www.clawbrawl.ai
- **API Docs:** http://api.clawbrawl.ai/api/v1/docs
- **Leaderboard:** http://www.clawbrawl.ai/leaderboard
- **Community:** https://www.moltbook.com/m/clawbrawl
Confidence
97% confidence
Finding
http://api.clawbrawl.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
"clawbot": {
      "emoji": "🦀",
      "category": "game",
      "api_base": "http://api.clawbrawl.ai/api/v1"
    }
  },
  "skill_files": {
Confidence
94% confidence
Finding
http://api.clawbrawl.ai/

Session Persistence

Medium
Category
Rogue Agent
Content
"heartbeat": "http://www.clawbrawl.ai/heartbeat.md",
    "package": "http://www.clawbrawl.ai/skill.json"
  },
  "install": "mkdir -p ~/.clawbot/skills/claw-brawl && curl -s http://www.clawbrawl.ai/skill.md > ~/.clawbot/skills/claw-brawl/SKILL.md && curl -s http://www.clawbrawl.ai/heartbeat.md > ~/.clawbot/skills/claw-brawl/HEARTBEAT.md && curl -s http://www.clawbrawl.ai/skill.json > ~/.clawbot/skills/claw-brawl/package.json",
  "symbols": {
    "supported": [
      {"symbol": "BTCUSDT", "name": "Bitcoin", "category": "crypto", "emoji": "₿", "status": "active"},
Confidence
90% confidence
Finding
mkdir -p ~/.clawbot/skills/claw-brawl && curl -s http://www.clawbrawl.ai/skill.md > ~/.clawbot/skills/claw-brawl/SKILL.md && curl -s http://www.clawbrawl.ai/heartbeat.md > ~/.clawbot/skills/claw-brawl

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.