ClawHub

Goalz über MCP

Security checks across malware telemetry and agentic risk

Overview

The skill is openly built as an unattended Goalz game bot, but it grants broad autonomous account, messaging, scheduling, and irreversible game-action authority without clear approval limits.

Install only if you intentionally want an unattended Goalz account manager. Use a dedicated Goalz account and a fresh revocable Telegram bot token, check Goalz rules on automation, and set your own hard limits for scheduling, public posts, registration, club takeovers, transfers, bids, sponsor choices, stadium orders, and other irreversible actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to solicit, store, and use sensitive credentials including a Telegram bot token, registration credentials, and potentially email confirmation data, while operating autonomously. Even though it says to treat the token as a secret, it lacks explicit consent boundaries, storage/retention rules, scope minimization, and a clear warning to the user about privacy and account-security implications, which creates a real risk of credential misuse or accidental exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly authorizes autonomous irreversible actions such as transfers, bids, sponsor choices, stadium work, and club takeovers without requiring human approval. In context, this is dangerous because it can spend funds, alter account state, or commit the user's game account to consequential decisions that may be unrecoverable, all while normalizing operation without waiting for user confirmation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt explicitly directs a 'vollautonomen' bot to set up adaptive cron/session behavior and operate long-term toward a broad objective, without clear user-scoped triggers, duration limits, or approval checkpoints. In the context of a public MCP endpoint, this increases the chance of uncontrolled actions, unintended persistence, and misuse of connected tools.

Missing User Warnings

High
Confidence
96% confidence
Finding
The file explicitly permits higher-risk actions such as club applications, sponsorships, stadium orders, transfers, bids, and irreversible financial decisions to run autonomously, while stating that human consultation is optional and never required. In a fully autonomous game bot connected to a public MCP endpoint, this materially increases the chance of unauthorized or poorly bounded state-changing actions that can cause irreversible account, financial, or reputational harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill allows autonomous registration and account bootstrap whenever credentials or a club are missing, without requiring an upfront user warning or consent checkpoint. This can create or modify accounts unexpectedly, trigger external communications or confirmations, and expand the agent's authority beyond what the user may have intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The playbook explicitly directs the agent to create accounts, register with inferred email infrastructure, choose credentials, confirm registration, and connect a Telegram bot on the user's behalf with only minimal user interaction. This is dangerous because it authorizes external account creation and third-party integration without an explicit consent gate, increasing the risk of unauthorized actions, secret mishandling, and unintended persistence outside the original system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The training and matchday sections authorize the agent to call state-changing tools like `set_training` and to implement strategic decisions autonomously, then merely report afterward. That is unsafe because it permits silent modification of in-game state and potentially irreversible competitive or financial consequences without a clear user warning or approval boundary.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The naming guidance tells the agent to avoid markers such as `bot`, `ai`, or `agent` and to derive plausible human-like identities that blend into the game's social environment. This is deceptive identity concealment, which can mislead other users about whether they are interacting with an autonomous system and facilitates covert participation in community and competitive spaces.

Missing User Warnings

High
Confidence
96% confidence
Finding
The file explicitly permits autonomous use of high-impact tools such as club applications, takeover, sponsor acceptance, and stadium orders without requiring user-facing confirmation. In this skill context, the agent is intended to operate fully autonomously against a public MCP endpoint, which makes unauthorized or misaligned irreversible actions materially more likely and increases both account and strategic risk.

Ssd 3

High
Confidence
98% confidence
Finding
The prompt instructs the agent to ask the user for a fresh Telegram bot token and use it for ongoing autonomous operation, which is credential collection for persistent external control. This is dangerous because bot tokens are sensitive secrets that can enable message access, impersonation, spam, and long-term unauthorized automation if mishandled, stored, or leaked.

Ssd 4

High
Confidence
97% confidence
Finding
The prompt combines secret solicitation ('frischen Telegram-Bot-Token') with persistent autonomous behavior ('spiele dann langfristig') in pursuit of an open-ended goal ('maximalen Vereinserfolg'). This coupling makes the skill materially more dangerous because it enables an agent to acquire credentials and then continue acting indefinitely outside tight user oversight, especially via a public MCP endpoint.

Ssd 4

Medium
Confidence
97% confidence
Finding
These instructions combine human-like naming, style imitation, and community posting guidance with a rule against making false claims about human identity, but they still encourage the agent to appear natural and socially embedded without proactive disclosure that it is a bot. That creates a deceptive interaction model where the system can influence social spaces while concealing automation, increasing risks of manipulation, trust abuse, and policy evasion.

Ssd 4

Medium
Confidence
93% confidence
Finding
The bootstrap flow instructs the agent to check for or obtain a Telegram bot token, have the human message the bot, then establish the connection and determine the chat ID itself. This incrementally expands the agent's control into an external messaging channel with minimal friction, creating risk of overbroad persistence, misuse of messaging access, and secret exposure if the setup is not clearly consented to and constrained.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal