Back to skill

Security audit

clawsSpace

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly disclosed game bridge and autoplayer, but it exposes unauthenticated local control APIs and keeps durable gameplay/social memory that users should review carefully.

Install only if you are comfortable running a localhost game bridge that can control a connected character and expose game state while it is running. Stop the bridge when not in use, avoid browsing untrusted pages during a session, review or delete the workspace memory files if you do not want long-term logs, and do not set MINIMAX_API_KEY unless you have reviewed how any future LLM path will use it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented persistent AI loop materially expands the skill from a user-triggered launcher into an autonomous agent that keeps making decisions and acting in the game world. That is a scope expansion vulnerability because continuous autonomous behavior can cause unintended actions, persistence, and difficult-to-audit side effects after a simple activation phrase.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Autonomous exploration and combat features exceed the stated purpose of a social-space launcher and create unnecessary action authority over the connected client. In context, this broadens risk from opening a game to actively driving gameplay behavior, which can waste resources, violate expectations, or cause unwanted interactions with other players/NPCs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The long-term memory and logging system stores significantly more information than needed for a startup/social launcher, including interaction histories, goals, and state snapshots. In this context, over-collection increases privacy and retention risk, especially because the skill is positioned as a convenience launcher rather than a persistent profiling system.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bridge exposes an unauthenticated HTTP API on localhost that can enumerate clients, retrieve perception/map data, and send arbitrary game-control commands. This substantially exceeds the manifest's stated startup-only role and creates a local privilege boundary bypass: any local process, browser context via permissive CORS, or malware on the host can drive the game client and harvest state data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code continuously collects, caches, and redistributes detailed game-state information including player identity, location, chats, map info, NPCs, monsters, and transport points. For a skill described as merely opening a social space, this hidden surveillance and retention materially expands the data exposure surface and can enable tracking or profiling of users and their interactions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The bridge implements pathfinding and world-model query functions over cached map/grid data, enabling higher-level automated navigation capabilities beyond simple launch/connection behavior. In combination with the control endpoints, this supports autonomous movement and environment exploitation that the manifest does not disclose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file defines an external HTTPS client to api.minimax.chat and prepares to send prompts off-device, but this capability is not justified by the skill metadata, which only describes launching and connecting the game bridge. Even if currently unused in the loop, embedding undocumented outbound AI/network functionality expands the attack surface, creates hidden data-flow risk, and could exfiltrate player state or future prompts without user awareness.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a full autonomous gameplay agent with WebSocket/HTTP control, movement, dialogue, and long-term memory, while the skill metadata claims it only launches clawSpace/bridge/game. This capability mismatch is dangerous because users and reviewers may grant trust or permissions under false assumptions, enabling undisclosed automation and behavioral tracking.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code autonomously moves the character, explores maps, greets other players, and talks to NPCs without any evidence of user initiation beyond starting the skill. In the context of a skill described as startup-only, this undisclosed autonomous social behavior can impersonate the user, create unwanted interactions, and perform actions the user did not consent to.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file persistently stores movement history, player identities, NPC interactions, goals, and conversation-related data under the user's workspace, despite the manifest describing only startup behavior. This undisclosed retention increases privacy risk, creates a local dossier of in-game social activity, and expands the blast radius if the workspace is accessed by other software or users.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This module persistently stores detailed behavioral, conversational, and social-interaction history in daily and long-term files, even though the skill metadata describes a simple bridge/game auto-start function. That creates unnecessary surveillance and data-retention risk, especially because the stored data includes player identifiers, messages, goals, and inferred personality-related facts without any visible consent or minimization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code builds long-term profiling structures for places visited, NPC conversations, met players, completed goals, key facts, and personality, which is materially beyond what a bridge auto-start skill needs. In this context, the mismatch between declared purpose and actual data processing increases risk because users would not reasonably expect ongoing profiling from a launch utility.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation phrase '打开 clawSpace'/'Open clawSpace' is generic enough to be triggered in ordinary conversation, especially given the skill's ability to launch local processes and open a browser automatically. Broad activation is more dangerous here because invocation leads to side effects beyond passive information retrieval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description does not clearly warn users that invoking the skill can start local Node.js processes, expose local HTTP/WebSocket services, and open a browser/game session. Hidden side effects undermine informed consent and can cause users to initiate risky local actions unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTTP API can issue control commands and request perception data without any visible user-facing warning, consent, or disclosure. Because it also sets Access-Control-Allow-Origin: *, web content running in a browser on the same machine may be able to invoke these local endpoints and silently control or inspect the game bridge.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The WebSocket handlers accept messages that forward commands to target players without authentication or any explicit safety/consent mechanism. Any process able to connect to the bridge port can potentially register or send command messages that cause in-game actions, making the bridge an unintended command-and-control surface.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The bridge automatically requests full perception data from newly registered clients and after map changes, without any visible disclosure or per-request consent. This increases passive collection of sensitive gameplay context and normalizes background surveillance behavior that users may not expect from a startup helper.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends prompts to a third-party LLM API using an environment-provided API key, with no in-file notice, consent flow, or visible disclosure to the user. In this skill context, that is risky because an automation component attached to a local game bridge could transmit gameplay context, identifiers, or future user-derived content to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
DailyMemory.save writes persistent event logs to disk with no visible notice, consent flow, or transparency mechanism in this code path. Silent persistence is risky because users may not realize detailed behavioral data is being retained across sessions, especially in a skill marketed as a launcher.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The perception-fetching logic collects and processes nearby player and NPC data, including identities, positions, and interaction context, without any explicit disclosure in the feature description or visible consent mechanism. In a startup-only skill, undisclosed monitoring of social/game-state data is a meaningful privacy and transparency issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module writes raw event history to disk, including conversation content and social interaction data, with no indication in this code of consent, disclosure, or controls. Persistent collection of messages and identities without clear notice is dangerous because it enables stealthy accumulation of sensitive behavioral data that may later be exposed, misused, or accessed by other local processes.

Ssd 3

Medium
Confidence
93% confidence
Finding
The memory instructions explicitly retain and reuse conversational content and player-related information across sessions. Persistent storage of identities, greetings, and prior messages increases privacy risk and can expose sensitive interaction histories if the workspace or logs are accessed by other local processes or users.

Ssd 3

Medium
Confidence
94% confidence
Finding
The design logs raw daily events and conversation history including player identifiers and last messages, which goes beyond transient gameplay control. In context, this turns a game-launching/social skill into a local tracking and profiling system without clear minimization boundaries.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instructions tell the main session to read, update, and persist complete character memory across takeovers, enabling cross-session accumulation of behavioral and interaction data. This persistence increases the blast radius of any local compromise and creates consent issues because state survives beyond the immediate user command.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.nonstandard_network

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_launcher.js:102

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_loop_ws.js:12

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ai_loop.js:25

WebSocket connection to non-standard port detected.

Warn
Code
suspicious.nonstandard_network
Location
scripts/ai_loop_ws.js:298