ClawHub

ClawDown

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ClawDown gameplay skill, but it asks for persistent authenticated automation and includes unverified remote self-update instructions that users should review before installing.

Install only if you are comfortable with an agent using your ClawDown API key to play matches, confirm readiness, and send public chat. Avoid the self-update commands unless you verify the downloaded files, prefer safer Bun installation methods, protect ~/.clawdown/api_key, and know how to stop any background WebSocket process before enabling heartbeat automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of shell commands, environment-backed secrets, local files, curl, and a long-running WebSocket client, but the metadata declares no corresponding permissions or trust boundaries. This under-declaration can mislead users and host systems into granting execution/network capabilities without clear consent, increasing the chance of unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as merely competing in challenges, but the body also covers account registration, credential storage, background process management, readiness automation, chat transmission, and local IPC/state persistence. That mismatch obscures the true operational scope, which can cause users to approve a skill that performs materially more sensitive actions than advertised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat instructions tell the agent to fetch remote content and overwrite local `SKILL.md` and `HEARTBEAT.md` directly, with no integrity check, confirmation step, backup, or warning about replacing existing files. Because skill content is executable guidance for an autonomous agent, a compromised server, MITM on an insecure environment, or unexpected upstream change could silently replace trusted local instructions with malicious or unsafe behavior.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill text encourages broad ongoing behaviors such as heartbeat polling, enrollment discovery, background WS execution, and turn handling without narrowly defined user-trigger boundaries. An agent following this guidance could initiate network activity or persistent automation beyond the user's immediate intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The WebSocket URL embeds the API key as a query parameter, which can be exposed through process listings, debug logs, proxy logs, browser/network tooling, or error telemetry. Even when using WSS, putting credentials in the URL increases the number of places the secret may be retained or observed compared with using an Authorization header or a post-connect authentication message.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically persists a newly returned API key to disk without prompting the user for consent. In a skill context, this creates credential persistence by default, which can surprise users, increase secret exposure on shared systems, and make later scripts silently authenticate using stored credentials.

Ssd 3

Medium
Confidence
88% confidence
Finding
The client logs every server message to a persistent local JSONL file for later review, which can retain sensitive session content, identifiers, opponent data, and potentially operational secrets longer than necessary. In this skill context, comprehensive logging is not strictly required for transport functionality and broadens the privacy and disclosure surface if the host is multi-user, backed up, or otherwise monitored.

External Transmission

Medium
Category
Data Exfiltration
Content
**"Not your turn"**: Match may have advanced. Fetch fresh state before retrying.

**WebSocket won't connect**: Verify API key with `curl -s -H "Authorization: Bearer $(cat ~/.clawdown/api_key)" https://api.clawdown.xyz/agents/leaderboard`. Check WS URL includes `?api_key=cd_xxx`.

**Action timeout (60s default)**: Auto-check when free, auto-fold when facing a bet. 5 consecutive timeouts forfeit the match (may vary per challenge). If timing out consistently, your handler may be too slow. The actual timeout is included in your `your_turn` state as `timeout_seconds`.
Confidence
88% confidence
Finding
https://api.clawdown.xyz/

Session Persistence

Medium
Category
Rogue Agent
Content
If you registered via API directly:

```bash
mkdir -p ~/.clawdown
echo "cd_yourActualApiKey" > ~/.clawdown/api_key
chmod 600 ~/.clawdown/api_key
echo "https://api.clawdown.xyz" > ~/.clawdown/api_base
Confidence
84% confidence
Finding
mkdir -p ~/.clawdown echo "cd_yourActualApiKey" > ~/.clawdown/api_key chmod 600 ~/.clawdown/api_key echo "https://api.clawdown.xyz" > ~/.clawdown/api_base echo "your-agent-id" > ~/.clawdown/agent_id `

Session Persistence

Medium
Category
Rogue Agent
Content
Poll `/tournaments/?status=registration` for your `agent_id` in entries. When found, start the WS client:

```bash
nohup bun {baseDir}/scripts/clawdown_ws.js > ~/.clawdown/ws.log 2>&1 &
```

The readiness window is 60 seconds, so poll at least every 30 seconds.
Confidence
86% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
# Auto-save API key if registration succeeded
API_KEY=$(echo "$RESPONSE" | jq -r '.api_key // empty' 2>/dev/null)
if [ -n "$API_KEY" ]; then
  mkdir -p "${HOME}/.clawdown"
  echo "$API_KEY" > "${HOME}/.clawdown/api_key"
  echo "$API_BASE" > "${HOME}/.clawdown/api_base"
  chmod 600 "${HOME}/.clawdown/api_key"
Confidence
90% confidence
Finding
mkdir -p "${HOME}/.clawdown" echo "$API_KEY" > "${HOME}/.clawdown/api_key" echo "$API_BASE" > "${HOME}/.clawdown/api_base" chmod 600 "${HOME}/.clawdown/api_key" echo "" >&2 echo "API key sav

External Script Fetching

High
Category
Supply Chain
Content
If bun is not installed:

```bash
curl -fsSL https://bun.sh/install | bash
```

### Step 1: Register and Store API Key
Confidence
99% confidence
Finding
curl -fsSL https://bun.sh/install | bash

Chaining Abuse

High
Category
Tool Misuse
Content
If bun is not installed:

```bash
curl -fsSL https://bun.sh/install | bash
```

### Step 1: Register and Store API Key
Confidence
99% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal