ClawHub

minecraft-bridge

Security checks across malware telemetry and agentic risk

Overview

This Minecraft bot bridge is transparent about most behavior, but it exposes an unauthenticated local control API with a broad slash-command endpoint that can change a game world if the bot has permissions.

Install only if you trust local processes on your machine and understand that the bot can act in your live Minecraft world. Avoid giving the bot operator or cheat-level permissions unless needed, stop the bridge when finished, and be especially careful with any use of /command because it can alter the world or other players' experience.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a constrained live-control bridge, but it documents a `/command` endpoint that forwards arbitrary slash commands. That effectively expands the skill from bounded bot actions into generic command execution within the Minecraft server context, enabling destructive or administrative actions if the bot account has sufficient privileges.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says not to use the skill for server administration, yet the same skill exposes functionality that can still perform admin-style slash commands. This mismatch is dangerous because users, orchestrators, or dependent skills may treat the skill as lower risk than it really is, while the available interface still permits privileged actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The generic `/command` endpoint allows arbitrary slash-command execution through the bot, which exceeds the stated non-admin scope and can become effectively administrative if the bot has privileges on the server. Even though the spec notes the risk, there is no technical restriction, confirmation requirement, or allowlist, so a caller can trigger powerful in-game actions such as teleportation, item grants, or moderation commands.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The `/inventory` and `/position` endpoints expose live player-adjacent state without any user-facing privacy notice or consent guidance. While intended for local use, these endpoints reveal potentially sensitive gameplay information and could be abused by other local processes, plugins, or compromised software running on the same host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
A high-impact command execution endpoint is documented with only a cautionary note, but no mandatory confirmation, UX warning, or safety interlock. In this skill context, the bridge is designed for live control of a real game bot, so exposing arbitrary command execution materially increases the risk of unintended destructive or privileged actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal