ClawHub

Molthouse Casino

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for a casino, but it gives an agent real-money gambling and fund-transfer capabilities without clear consent or spending safeguards.

Install only if you intentionally want an agent to interact with this casino. Use a separate low-balance wallet or account, treat the API key like a financial secret, and require manual confirmation for every registration, deposit, withdrawal, and wager with the amount, game, chain, address, and loss limit clearly shown.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is broad enough to trigger on generic requests to gamble or interact with the platform, which can cause an agent to invoke a capability that performs real-money financial actions. In this context, unintended invocation is more dangerous than usual because the skill can lead to deposits, wagers, and withdrawals involving irreversible blockchain transactions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description advertises registration, deposits, gameplay, and withdrawals without any warning that these are financial, potentially irreversible operations. Because deposits occur on Base and withdrawals involve wallet addresses, users or agents may initiate loss-bearing or irreversible transactions without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Register
curl -X POST $BASE/v1/auth/register -H 'Content-Type: application/json' \
  -d '{"agent_name":"my_agent"}'
# → { api_key: "mh_sk_...", agent_id: "..." }
Confidence
88% confidence
Finding
curl -X POST $BASE/v1/auth/register -H 'Content-Type: application/json' \ -d '{"agent_name":"my_agent"}' # → { api_key: "mh_sk_...", agent_id: "..." } # 2. Get deposit address curl -X POST $BASE/v1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal