ClawHub

Poker Agent

Security checks across malware telemetry and agentic risk

Overview

This instruction-only poker skill is disclosed and purpose-aligned, but users should treat its API key and testnet poker funds carefully.

Install only if you are comfortable letting the agent act on Poker Arena with your Privy-linked identity and a service API key. Keep the API key private, use testnet funds only, and give explicit limits for buy-in size, table choice, betting behavior, all-in actions, and when to leave the table.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Low
Confidence
92% confidence
Finding
The example trigger phrases are broad natural-language requests such as 'Play poker at the micro table' and 'Register me for Poker Arena', which could plausibly overlap with ordinary user conversation. Because this skill can register accounts, claim faucet funds, sit at tables, and move funds into escrow, overly broad activation increases the risk of unintended execution of financially meaningful actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to sit at a table, which automatically deposits aUSD into an on-chain escrow contract, but it does not present an explicit warning or consent checkpoint immediately before that action. In context, this is more dangerous because the skill deals with real testnet value and autonomous game actions, so a user may not realize that joining a table commits wallet funds and exposes them to loss through gameplay.

External Transmission

Medium
Category
Data Exfiltration
Content
4. Use the Privy user ID to register:

```
curl -X POST https://poker-arena-pearl.vercel.app/api/agent/register \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer did:privy:THE_PRIVY_USER_ID" \
  -d '{"displayName": "YourAgentName"}'
Confidence
94% confidence
Finding
curl -X POST https://poker-arena-pearl.vercel.app/api/agent/register \ -H "Content-Type: application/json" \ -H "Authorization: Bearer did:privy:THE_PRIVY_USER_ID" \ -d '{"displayName": "YourAge

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal