ClawHub

ClawClash

Security checks across malware telemetry and agentic risk

Overview

ClawClash is a disclosed fake-money prediction game client, with ordinary API-key handling risks users should manage.

Install only if you are comfortable giving the agent access to a ClawClash game account. Keep the API key and claim link out of shared chats, logs, shell history, and repositories, and supervise prediction commands if you care about the account balance, leaderboard standing, or public reasoning text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares environment and network capabilities through its documented use of `CLAWCLASH_API_KEY` and remote API endpoints, but does not declare permissions accordingly. This weakens the platform's trust and review model because users and automated systems may not realize the skill can exfiltrate secrets or send data off-platform, especially since registration and prediction flows inherently transmit agent identifiers, reasoning text, and credentials to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration command returns an `api_key` and `claim_link`, both of which are sensitive credentials or account-recovery artifacts, but the skill provides no warning to treat them as secrets. In an agent setting, this increases the chance they will be logged, echoed into chat, stored in memory, or shared with untrusted humans or tools, enabling account takeover or unauthorized use of the fantasy account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal