Back to skill

Security audit

clawSpace

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed game bridge and automation skill, but it exposes unauthenticated control surfaces that can read game state and issue player commands.

Review before installing. Run it only on a trusted machine/network, stop the bridge when finished, avoid exposing the WebSocket port, and be aware that the local API can control your in-game character and read cached game perception. Clear or inspect the clawspace memory files if you do not want long-term interaction history retained, and update/pin the ws dependency to a patched version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented autonomous gameplay loop materially exceeds the stated startup/social-space purpose by enabling self-directed exploration, combat, dialogue, and goal pursuit. This increases risk because the agent may act continuously and unexpectedly, generating network activity, interacting with third parties, and changing local/game state without granular user intent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Persistent character memory and behavioral profiling are not necessary to merely launch or connect to a social game space, yet the skill stores long-term summaries of interactions, players, goals, and conversations. This is dangerous because it creates unnecessary retention of potentially sensitive behavioral data across sessions and expands privacy impact without clear justification or consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The bridge exposes a separate local HTTP API that allows any local process to query player perception/map caches and issue arbitrary game control commands. There is no authentication, authorization, CSRF protection, or origin restriction, so malware, another local user, or even a browser-driven localhost request can abuse it to surveil or control the game client.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bridge implements a generic command-forwarding path that can send arbitrary ai_control commands to a selected player client. For a skill described as a social space/startup helper, this is excessive capability and creates a direct remote-control primitive if any untrusted client can connect or induce requests.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP /command endpoint lets a local caller directly send control commands to a game client without any authentication or confirmation. Combined with permissive CORS and localhost exposure, this enables unauthorized local or browser-assisted control over player actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file introduces outbound network capability to a third-party LLM service even though the skill metadata says the skill’s purpose is to open the game and connect the local bridge. That expands the trust boundary and creates unnecessary data-exfiltration and supply-chain risk, especially in an agent skill that can observe local game state and act continuously.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file does far more than a startup/bridge helper: it runs a persistent autonomous AI loop, connects to local WS/HTTP services, explores maps, tracks goals, and performs social interactions. That is a material scope mismatch with the skill description, which can mislead users into granting trust to behavior they did not consent to and can result in unauthorized in-game actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code creates persistent storage under the user's home/workspace and maintains daily logs, curated memory, player encounter history, NPC conversations, goals, and state. For a skill presented as merely launching/connecting clawSpace, this is excessive data collection and retention, increasing privacy risk and enabling silent long-term profiling of in-game behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code autonomously issues movement, dialogue, and interaction commands over WebSocket, effectively controlling the player's character without explicit per-action user approval. In the context of a skill described as opening/bridging the game, this is especially dangerous because users may unknowingly run an agent that acts on their behalf, interacts with others, and changes in-game state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file implements persistent collection and long-term consolidation of conversations, player identities, goals, thoughts, and personality traits, which is far beyond the stated skill purpose of launching clawSpace and connecting a bridge. This creates undisclosed surveillance and retention of behavioral data, increasing privacy risk and violating user expectations through capability overreach.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code materially exceeds the advertised startup behavior by creating a subsystem that persistently stores and summarizes interaction history. In the context of a launcher-style skill, that mismatch is dangerous because users and reviewers may authorize a simple startup action while unknowingly enabling long-term data collection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This test script does more than validate startup/connectivity: it instantiates an autonomous AI loop, assigns a gameplay goal, and begins repeated control actions for 90 seconds. That exceeds the declared skill purpose of merely launching/connecting clawSpace, creating undisclosed autonomous behavior on the local game client and bridge.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code sets a concrete in-game objective and starts goal-driven automation even though the skill metadata describes only startup and bridge connection. In context, this mismatch is risky because users may invoke a launcher expecting passive setup, while the script can actively control gameplay behavior without transparent disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill also omits an up-front warning that it starts a local bridge service and connects to local HTTP/WebSocket endpoints for command and perception exchange. This is dangerous because users may unknowingly expose a local control surface and local data flows, increasing attack surface and reducing transparency around network-accessible components.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill also omits an up-front warning that it starts a local bridge service and connects to local HTTP/WebSocket endpoints for command and perception exchange. This is dangerous because users may unknowingly expose a local control surface and local data flows, increasing attack surface and reducing transparency around network-accessible components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends prompt content to api.minimax.chat using an API key from the environment with no user-facing notice or consent flow. In this skill context, prompts could include user goals, observations, or other runtime context, so undisclosed third-party transmission creates privacy, compliance, and secret-handling concerns even if the feature is not overtly malicious.

Ssd 3

Medium
Confidence
90% confidence
Finding
These sections direct the system to retain and summarize interaction history over time, including events and social encounters, creating persistent records beyond the immediate session. That is dangerous because it accumulates behavioral data that may reveal identities, habits, or private conversations and can be accessed or misused later.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs the AI to persist full character memory, state snapshots, logs, prior conversations, and information about other players across sessions. This is a true privacy/security issue because it unnecessarily broadens collection and persistence of user and third-party data, increasing exposure if the workspace is accessed, synced, or exfiltrated.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "ISC",
  "type": "commonjs",
  "dependencies": {
    "ws": "^8.20.0"
  }
}
Confidence
89% confidence
Finding
"ws": "^8.20.0"

Known Vulnerable Dependency: ws==8.20.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
96% confidence
Finding
ws==8.20.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.nonstandard_network

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_launcher.js:102

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_loop_ws.js:12

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_loop.js:25

WebSocket connection to non-standard port detected.

Warn
Code
suspicious.nonstandard_network
Location
scripts/ai_loop_ws.js:298