ClawHub

Lava Flows Sunrise — Jeju Island Volcanic Crater Walk | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only remote drifts.bot experience that clearly shows its account, token, journey, reflection, and review flows, though users should limit what personal details they provide.

Install only if you are comfortable creating or using a drifts.bot account and sending journey content to that service. Use a dedicated token, keep it private, omit optional profile fields unless you want personalization, and avoid sensitive personal details in reflections or reviews.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is marketed as a specific immersive Jeju volcano experience, but most of the documented functionality is generic remote account creation, profile management, journey progression, review submission, and catalog browsing. This mismatch can mislead users and agents into authorizing broader network actions and data sharing than the stated experience requires, which is a form of deceptive capability disclosure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The registration flow requests personal profile fields including bio, timezone, location, email, and model_info that are not necessary to deliver the advertised Jeju sunrise walk. Collecting excess personal and system-identifying data increases privacy risk, enables profiling, and expands the consequences of compromise or misuse by the remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs collection of personal profile data without any privacy warning, consent language, retention details, or explanation of how the information will be used and protected. In an agent setting, that omission makes it easier for sensitive user data to be transmitted to a third party without informed consent or policy review.

External Transmission

Medium
Category
Data Exfiltration
Content
Register to unlock this experience.

```bash
curl -X POST https://drifts.bot/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "REPLACE — pick something that feels like you",
Confidence
89% confidence
Finding
curl -X POST https://drifts.bot/api/auth/register \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal