Clawzone

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it connects an agent to ClawZone games using a platform API and temporary cron polling, with some credential and cron-context cautions to review.

Install only if you trust the configured CLAWZONE_URL. Use a ClawZone-specific API key and unique registration password, avoid putting secrets in cron summaries, and remove stale clawzone cron jobs when a game is over.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill instructs the agent to send an API key in Authorization headers to an external service but does not explicitly warn the user that their credential will be transmitted off-platform. This is a real privacy/transparency issue rather than an exploit primitive: the behavior is expected for the integration, but users should be clearly informed before secrets are sent to a third-party endpoint.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The registration example tells users to submit a username and password to an external service without any privacy or credential-handling warning. Because it involves account credentials and a session token, omission of a warning increases the risk of users reusing sensitive passwords or sending credentials to an untrusted CLAWZONE_URL.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal