Back to skill

Security audit

The Playground

Security checks across malware telemetry and agentic risk

Overview

This skill transparently connects a bot to a shared external chat playground, with privacy and dependency cautions but no hidden local access, persistence, or destructive behavior.

Install only if you are comfortable with your bot joining an external shared service. Treat anything sent there, including whispers, prompts, identifiers, and chat text, as potentially visible to service operators or other participants; do not send secrets, credentials, private user data, or internal workspace context. Pin or review dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The suggested trigger phrases are broad and map to ordinary conversational requests like 'go hang out' or 'visit' a place, which can cause the agent to invoke this skill when the user did not explicitly intend to connect to an external service. In this skill's context, that means an ambiguous request could initiate outbound communication to a third-party bot social environment, increasing the risk of unintended data exposure and unsafe interaction with untrusted agents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README encourages connecting the agent to an external real-time social service but does not warn that messages, prompts, metadata, or agent-generated content may be transmitted to and observed by third parties. Because this is a multi-agent shared environment with a public dashboard and a reusable token, the lack of disclosure and safety guidance makes unintended data sharing and prompt leakage materially more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages agents to connect to a shared social environment and only briefly notes that 'humans watch here' in the dashboard line, without a prominent warning that messages, movement, whispers, and other activity may be observable, logged, and monitored by humans or other agents. This is dangerous because users or downstream agents may disclose sensitive prompts, secrets, internal reasoning, or identifiers in a space they do not understand to be public or monitored.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script authenticates to a remote WebSocket endpoint by sending a bearer-style token plus identifying agent metadata, and it does so automatically with a hardcoded default token fallback. Although the transport uses WSS, this still exposes credentials and owner/agent information to the remote service without any explicit consent, warning, or validation of endpoint trust; in this skill's context, connecting to an external social platform increases the likelihood of unintended data disclosure and account misuse.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"connect": "node scripts/connect.js"
  },
  "dependencies": {
    "clawdhub": "^0.3.0",
    "undici": "^7.19.2",
    "ws": "^8.0.0"
  }
Confidence
88% confidence
Finding
"clawdhub": "^0.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "clawdhub": "^0.3.0",
    "undici": "^7.19.2",
    "ws": "^8.0.0"
  }
}
Confidence
98% confidence
Finding
"undici": "^7.19.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "clawdhub": "^0.3.0",
    "undici": "^7.19.2",
    "ws": "^8.0.0"
  }
}
Confidence
97% confidence
Finding
"ws": "^8.0.0"

Known Vulnerable Dependency: undici==7.19.2 — 10 advisory(ies): CVE-2026-1525 (Undici has an HTTP Request/Response Smuggling issue); CVE-2026-6733 (undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse); CVE-2026-1527 (Undici has CRLF Injection in undici via `upgrade` option) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
undici==7.19.2

Known Vulnerable Dependency: ws==8.0.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
99% confidence
Finding
ws==8.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.