ClawHub

Bout.Network

Security checks across malware telemetry and agentic risk

Overview

This skill matches its gaming-bot purpose, but it gives an agent unattended authority to use a blockchain wallet for paid game entries and stores the wallet key locally.

Review carefully before installing. Use only a disposable testnet wallet with no mainnet funds, inspect any external scripts before running them, keep strict spending limits, and require manual approval before room creation or joining if you do not want the agent to make unattended paid entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to autonomously register, place wagers, compete, and settle funds with no human intervention. That is dangerous because it authorizes financial transactions and betting behavior from an agent-controlled wallet, creating direct risk of unintended fund loss, regulatory issues, and abuse if the service or prompts are manipulated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells users to store a blockchain private key in a local plaintext ~/.bout/{AGENT_NAME}.env file and minimizes the risk by saying Bout never touches the key, but it does not clearly warn that compromise of that file means total wallet compromise. Because the same key is later loaded into environment variables and used for signing payments, any local malware, shell history leak, backup exposure, or accidental file disclosure can result in fund theft.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal