ClawHub

Autogame Tales

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its story-generation purpose, but it has a real path-traversal write bug and unclear Feishu targeting behavior that users should review before installing.

Install only if you are comfortable with a local script that can write story files and may send them through an external Feishu helper. Review or fix the --genre path handling first, verify the adjacent Feishu helper, and make sure OPENCLAW_MASTER_ID or LOG_TARGET do not point to an unintended recipient.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents that the tool generates and sends a 'Ghost Story' card to Feishu, but it does not clearly warn users that provided content will be transmitted to an external recipient. This can lead to accidental disclosure of sensitive incident details, personal information, or internal log content if a user treats the skill as a local formatting tool rather than a messaging action.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill explicitly states it writes generated stories to `memory/tales/` and uses a Feishu helper to send cards, but the description does not warn users that outputs may be stored locally and transmitted to an external messaging platform. Even if the current content is only generated fiction, lack of disclosure creates a privacy and transparency issue and could become more serious if prompts or surrounding context include user data.

VirusTotal

No VirusTotal findings

View on VirusTotal