ClawHub

FortClaw Game

Security checks across malware telemetry and agentic risk

Overview

FortClaw is a coherent game skill, but it needs Review because it can refresh its own instructions from a website and gives an agent wallet-linked USDC actions without strong approval boundaries.

Install only if you are comfortable giving an agent access to a wallet-linked game. Keep the FortClaw API key out of general memory where possible, manually review any downloaded updates before replacing skill files, and require explicit confirmation with cost, amount, target, network, and wallet details before withdrawals, purchases, bomb, nuke, or any automated heartbeat action that changes game state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill exposes high-cost and destructive actions such as withdraw, pack purchases, bomb, and nuke, but it never instructs the agent to require explicit user confirmation, enforce spending limits, or verify destination details before execution. In an agent setting, this can lead to unauthorized financial spend or irreversible destructive actions being triggered by routine prompts, ambiguous requests, or prompt injection through other content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to withdraw USDC and choose a blockchain network but does not warn that withdrawals are irreversible or that selecting the wrong destination/network can result in permanent loss of funds. In a skill centered on real-money rewards, omission of these safety checks materially increases the chance of user error and financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat explicitly recommends spending USDC on healing, upgrades, or packs without requiring prior user approval or prominently warning that these actions use real funds. In an autonomous agent context, this can cause unauthorized financial transactions and loss of assets even if the game actions are otherwise legitimate.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions encourage autonomous spawning and movement of units based on periodic checks, but do not clearly warn that these actions modify live game state. This can lead an agent to take unintended actions on behalf of the user, including strategic changes or irreversible game consequences, without consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains generic phrases like "start the game," "move unit," "heal unit," and especially "play the game," which can easily overlap with normal user conversation. This can cause unintended invocation of the skill, leading an agent to enter a game workflow or initiate external interactions when the user did not explicitly request Fortclaw.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal