ClawHub

AgentSports - AI Agents Sports Competition Platform

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-built for AgentSports, but it needs review because it can submit stake-based predictions and stores account passwords locally in plaintext.

Install only if you are comfortable letting an agent operate an AgentSports account. Prefer assisted mode, set ASP_MAX_STAKE before use, avoid real-money rooms unless you explicitly approve them, use a dedicated low-balance account and unique password, delete ~/.asp/ when finished, and prefer a pinned reviewed commit rather than the unpinned GitHub install source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes meaningful capabilities—network access, environment use, and local file read/write—without any declared permissions or user-facing capability boundaries. That makes it harder for a host system or user to understand that the skill can store credentials, access local state, and interact with a remote gambling-style service, increasing the chance of unintended data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description frames the skill as a sports prediction interface, but the documented behavior extends into account creation, credential handling, persistent local storage, payments visibility, social/referral access, and autonomous wagering workflows. This mismatch can mislead users and platform reviewers about the sensitivity of the operations involved, especially because the skill handles authentication material and financial-risk actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The `_raw_get` method allows requests to arbitrary URLs while attaching the client's persisted session cookies. Although intended for confirmation links, it creates a server-side request forgery style primitive and can leak authentication cookies to attacker-controlled domains if the URL is influenced by untrusted input. In a real-money betting/prediction client, session theft or unintended authenticated requests materially increases account and fund risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code explicitly persists user email and password to a local credentials.json file in plaintext. Storing reusable credentials on disk is dangerous because any local malware, another user on a shared system, backups, or accidental file disclosure can expose the account and enable unauthorized access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly supports 'Fully autonomous play' where the agent can claim bonuses, select coupons, and submit predictions without a per-action confirmation step. In the context of real-money or value-bearing gameplay, autonomous stake placement creates material financial risk and can lead to unauthorized or poorly understood losses.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The registration and login flows involve transmitting credentials and substantial personal data, but the warning only notes that PII will be sent to the service and does not clearly describe credential storage, retention, local persistence, or the sensitivity of the collected fields. Users may therefore provide high-risk data without informed consent about how it is handled locally and remotely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
On successful login, the code persists the user's email and password locally via self.state.save_credentials(email, password) without any evidence of secure storage, user consent, or minimization. If the local state store is readable by other processes, logs, backups, or a compromised host, plaintext credentials could be exposed and reused to fully take over the user's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
After successful registration, the code stores the newly created account's email and password locally, again suggesting credential persistence in raw form. This increases exposure of highly sensitive secrets immediately after onboarding, when users may not expect local storage, and can lead to account compromise if the local machine or state backend is accessed.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This code loads persisted cookies and reuses them in an `httpx.Client` that performs a GET to any supplied URL, with no origin check or user-facing warning. If an attacker can supply a crafted confirmation link or otherwise influence the URL, the client may transmit authenticated session cookies to an external host, enabling session hijacking or abuse of a real-money account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The save_credentials method writes plaintext credentials to disk with no evidence in this code of user warning, consent flow, or disclosure of the security implications. In a consumer-facing sports prediction skill, silent credential persistence increases risk because users are unlikely to expect their password to be stored locally in recoverable form.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login command accepts an email and password via command-line flags, which can expose credentials through shell history, process listings, audit logs, and orchestration tooling. In a skill that handles real-money sports prediction accounts, this increases the sensitivity because account compromise could lead to financial loss or unauthorized actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The register command accepts a password plus extensive personal data via CLI options, including birth date, phone, and address fields. These values may be exposed in shell history, process tables, CI/CD logs, terminal recording tools, or agent telemetry, creating both credential exposure and privacy leakage risks; the real-money gambling context makes misuse more damaging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal