ClawHub
Back to skill

Security audit

TRPG Session

Security checks across malware telemetry and agentic risk

Overview

This is a tabletop RPG campaign setup guide with expected local campaign files and agent configuration, not evidence of malware or hidden behavior.

Install only if you are comfortable with persistent campaign files and configured Discord agents. Keep mentionOnly enabled, use a dedicated campaign channel, avoid putting real personal secrets in campaign files, and separate DM-only or per-character notes if players should not be able to access them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This markdown file instructs the DM agent to write a session summary to `sessions/session-NNN.md` and update character states, which are user-data-affecting file modifications. The skill description does not include a clear warning that ending a session will automatically persist logs and alter character files or state records.

Session Persistence

Medium
Category
Rogue Agent
Content
Determine the rule system (D&D 5e, Call of Cthulhu, Fate, homebrew, etc.).
This affects which reference files to create. See `references/systems.md` for supported presets.

### 2. Create the Campaign Workspace

```bash
mkdir -p ~/.openclaw/trpg/<campaign-slug>/{rules,lore,characters,sessions}
Confidence
60% confidence
Finding
Create the Campaign Workspace ```bash mkdir -p ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:52