ClawHub

三國志略 / Histrategy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed historical strategy game skill whose file storage, LLM use, and chat-based gameplay are aligned with its purpose.

Install if you want a persistent AI strategy game and are comfortable with local game saves and optional LLM API usage. Prefer explicit commands like /histrategy to avoid accidental activation, and delete saved rooms if you do not want gameplay history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "rome" is very broad and likely to appear in unrelated conversations, which can cause accidental invocation of the skill. In an agent environment, unintended activation can lead to unprompted file writes, API usage, or stateful game actions being performed in the wrong context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger "triumvirate" is ambiguous and may match normal historical, political, or educational discussion unrelated to the game. This increases the chance of accidental skill execution and any side effects associated with starting or resuming a stateful session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents persistent on-disk storage of game state under the user's home directory but does not clearly warn about local file creation, retention, or possible sensitive content in logs. In multi-user or managed environments, silent persistence can expose gameplay history, prompts, and metadata beyond the user's expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal