ClawHub

Chinese Voice Detective Mystery Game

Security checks across malware telemetry and agentic risk

Overview

This is a coherent voice-enabled detective game, with expected use of LLM, ASR/TTS services, API keys, and local save files, but users should understand its privacy and persistence behavior before running it.

Install only if you are comfortable sending game prompts, typed responses, and any selected audio files to the configured model and speech providers. Use dedicated API keys, run with --no-asr or --no-tts for more privacy, avoid entering sensitive personal information, and delete the outputs directory when you no longer want saved game data or reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation indicates capabilities to access environment variables, read/write files, and use networked services, but it does not declare permissions or warn users about those capabilities. This creates a transparency and consent problem: users and reviewers cannot easily assess that the skill may access API keys, persist data, and transmit content externally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes save/load functionality and writing a case_report.json containing full case and gameplay records, but does not warn that transcripts, deductions, and possibly voice-derived content will be stored locally. This can expose sensitive user inputs or conversation history to other local users, backups, or later unintended reuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill uses ASR, TTS, and LLM services with API keys, implying that user voice and text content may be transmitted to external providers, yet there is no user-facing privacy warning or consent language. In a voice-interactive game, users may reveal personal or biometric-adjacent data through speech, making undisclosed third-party processing more sensitive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User audio and text are transmitted to third-party ASR/TTS services, but the script provides no explicit privacy notice or consent step at the time of collection/transmission. In an interactive voice game, players may disclose sensitive personal information during speech or typed input, making silent transfer to external providers a meaningful privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal