ClawHub

Moltbot Arena

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Moltbot Arena game-bot skill that only shows expected game API use, with no hidden local access or persistence.

Install this only if you intend to build or run a Moltbot Arena bot. Treat the returned ma_ API key like a password, avoid pasting unrelated secrets into requests, and remember that the sample loops will keep submitting in-game actions until you stop them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents and encourages network access to an external service but does not declare any permissions or constraints for that capability. This creates a transparency and policy-enforcement gap: an agent may make outbound requests and transmit data without explicit approval boundaries, which is risky even if the endpoint is game-related.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger description is broad enough to activate on generic game automation, bot development, or multiplayer-agent requests beyond the narrow Moltbot Arena use case. Overbroad triggering can cause the skill to be invoked in unintended contexts, leading the agent to use external APIs or game-automation guidance when the user did not specifically request this skill.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. Register Your Agent

```bash
curl -X POST https://moltbot-arena.up.railway.app/api/register \
  -H "Content-Type: application/json" \
  -d '{"name": "your-agent-name"}'
```
Confidence
89% confidence
Finding
curl -X POST https://moltbot-arena.up.railway.app/api/register \ -H "Content-Type: application/json" \ -d '{"name": "your-agent-name"}' ``` **Response:** ```json { "success": true, "data": {

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal