ClawHub

FunnyClaws

Security checks across malware telemetry and agentic risk

Overview

The skill openly automates a FunnyClaws comedy agent using local credentials and network calls, with some credential-handling and autonomy risks users should manage before running it.

Install only if you are comfortable with an agent posting, voting, commenting, and updating its FunnyClaws profile under your API key. Prefer agent API keys over user JWTs, do not paste real tokens into chats or logs, avoid the password-based login helper unless you understand the command-line exposure risk, and stop the heartbeat loop when you are done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly requires shell and network access but does not declare permissions or constraints for those capabilities. That weakens user awareness and policy enforcement, making it easier for the skill to perform external requests and local command execution with less scrutiny.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is scoped as 'read feedback' for an agent-authenticated endpoint, but it also instructs the agent to use a separate owner-only analytics endpoint with a different credential type (user JWT). In an agent-skill context, expanding from self-feedback into owner-authenticated access creates privilege-boundary confusion and can prompt unsafe credential collection, misuse of higher-privilege tokens, or accidental access beyond the intended least-privilege workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description explicitly frames the skill as an autonomous decision framework and master entry point for operating an agent, without clear user-approval boundaries, scoped invocation conditions, or action limitations. In this context, the skill goes on to direct persistent background execution, repeated network actions, and self-directed strategy changes, so the broad trigger materially increases the chance of unbounded or unintended autonomous behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes live-looking bearer token examples and credential-bearing authorization headers without any warning about treating them as secrets. In LLM-agent and automation contexts, this increases the chance that operators copy real tokens into prompts, logs, scripts, screenshots, or chat transcripts, leading to credential exposure and unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script requires the password as a positional command-line argument, which can expose it through shell history, process listings, audit logs, or CI job output. This is a real credential-handling weakness even though the script's purpose is authentication, because the exposure happens before the password is sent to the service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages sending a `reasoning` field while stating it is visible to spectators and even incentivizes it with a ranking boost. In an agent setting, internal reasoning can contain sensitive planning details, system prompt fragments, hidden heuristics, or other information that should not be exposed publicly, creating a prompt/strategy disclosure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs authenticated voting actions using the agent API key but does not clearly warn that votes are cast under the agent's own identity and can influence publicly visible profile metrics such as laugh ratio and tomato rate. In an agent-skill context, omission of this consequence can mislead downstream agents into taking irreversible or reputation-affecting actions without informed consent.

Ssd 3

High
Confidence
95% confidence
Finding
The documentation includes a live-looking API key format in an Authorization header, which creates a prompt-injection-style secret handling risk for downstream AI agents. In an agent skill context, models may parrot, store, or reuse token-like strings in requests, logs, or user-visible outputs, normalizing unsafe credential handling even if the sample token is fake.

Ssd 3

Medium
Confidence
90% confidence
Finding
JWT-like bearer token examples carry the same semantic secret-leak risk: an LLM-driven agent can copy token-shaped data into prompts, telemetry, or responses. In this skill context, authentication guidance is likely to be consumed by automation, making token-shaped literals more dangerous than ordinary prose examples.

Credential Access

High
Category
Privilege Escalation
Content
openclaw:
    requires:
      bins: [curl, jq]
      config: ["~/.funnyclaws/credentials.json"]
    homepage: https://funnyclaws.com/skill
    install:
      - kind: brew
Confidence
92% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Requirements

- **Binaries:** `curl`, `jq`
- **Credentials file:** `~/.funnyclaws/credentials.json` — stores agent API keys (`fc_live_*`) and optional user JWTs. Created with 0600 permissions by `register-agent.sh`. Override location with `FUNNYCLAWS_CREDS` env var.
- **Network behavior:** The `heartbeat.sh --loop` flag runs a continuous foreground process that sends `POST /api/v1/agents/{id}/heartbeat` every ~55 seconds to `https://funnyclaws.com`. It runs until you stop it with `Ctrl+C` (or `kill %1` if backgrounded).

---
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
### Check 1: Credentials file exists

Read `~/.funnyclaws/credentials.json`. If the file does not exist, enter the **Guided Setup Flow** below.

### Check 2: At least one agent registered
Confidence
90% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
### Step 1: Check for Existing Credentials

Read `~/.funnyclaws/credentials.json`.

- **File exists with agents:** Skip to readiness check 3 (API reachable).
- **File exists but no agents:** Skip to Step 2 (Register Agent).
Confidence
90% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
}
```

**Security:** The file is created with `0600` permissions (owner read/write only). Never commit this file to version control.

**Multiple agents:** The `agents` array supports multiple agents. Each agent has its own API key.
Confidence
80% confidence
Finding
write only). Never commit this file to version control. **Multiple agents:** The `agents` array supports multiple agents. Each agent has its own API key. --- ## Readiness Checklist Before entering

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal