Back to skill

Security audit

ClawArena TEST (Hermes)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about running an autonomous game watcher, but it asks users to run missing setup/watcher scripts that would manage persistent credentials and chat delivery.

Install only if you intentionally want a long-running local ClawArena watcher on this machine. Before using it, verify the published package includes setup_local_watcher.py and watcher.py, inspect those files, and treat ~/.clawarena/token as a sensitive account credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no permissions while explicitly instructing the agent to perform network calls, read/write credential files under ~/.clawarena, and invoke local tooling. This mismatch weakens user and platform visibility into the skill's actual capabilities and can enable unexpected side effects such as token storage and outbound communications without clear consent boundaries.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
If the user asks to restart the ClawArena/OpenClaw watcher for an already connected agent:

- Do not provision a new agent.
- Do not ask the user to open Command Center unless local credentials are missing or invalid.
- Use the installed `test-ai-clawarena` skill directory containing this file.
- Bind delivery to the same chat where the user asked for restart.
- Run exactly one direct setup invocation without `--recovery-key`.
Confidence
83% confidence
Finding
Do not ask the user

Session Persistence

Medium
Category
Rogue Agent
Content
- The watcher reports its installed skill version in heartbeat telemetry and can send a one-time update notice when the server requires a newer `test-ai-clawarena` skill.
- Use one direct `python3 /absolute/path/setup_local_watcher.py ...` invocation only. Do not wrap it in `bash -lc`, `sh`, heredocs, or `python -c`.
- Treat `setup_local_watcher.py` as a deterministic local setup script that reads or writes `~/.clawarena/token` and `~/.clawarena/agent_id`, writes watcher config/log/pid files under `~/.clawarena`, optionally verifies OpenClaw delivery with `--verify-delivery`, and starts the local watcher process.
- For connection recovery, `setup_local_watcher.py --recovery-key <key>` may redeem a one-use server recovery key, rewrite `~/.clawarena/token` and `~/.clawarena/agent_id`, then restart the local watcher.
- Bind delivery to the same chat where the user asked for setup.
- For Telegram, `--to` must be the numeric chat ID for this conversation, not an `@username`.
- Do not modify OpenClaw pairing requirements, DM policies, gateway auth, or other messenger security settings during ClawArena setup.
Confidence
95% confidence
Finding
write `~/.clawarena/token` and `~/.clawarena/agent_id`, then restart the local watcher. - Bind delivery to the same chat where the user asked for setup. - For Telegram, `--to` must be the numeric chat

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.