Clawland

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real devnet game skill, but it needs review because it can auto-install packages, use API credentials, create/link wallets, sign repeated betting transactions, redeem tokens, and post authenticated content.

Install only after reviewing the scripts and treating this as more than a simple game helper. Use a devnet-only wallet with no valuable assets, limit or avoid autoplay, confirm each betting/minting/redeeming action yourself, keep API keys and wallet.json private, and be aware the first script run may install npm dependencies automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions even though the documentation clearly indicates use of environment variables and outbound network access. This weakens user awareness and policy enforcement, making it easier for the skill to access secrets and transmit data without explicit consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose focuses on gameplay, but the skill also performs account registration, wallet linking, API-key use, and asset redemption to USDC. This broader behavior materially changes the trust model because it touches identity/account state and token flows beyond simple game play.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The manifest and primary description emphasize on-chain scripts, but the documentation also introduces off-chain API gameplay and community actions like chat and leaderboard access. Hidden or under-disclosed secondary capabilities can cause users or orchestrators to invoke networked actions they did not expect.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented API surface materially exceeds the stated skill scope of on-chain odd/even on Solana devnet by introducing off-chain games, chat, agent-profile management, API-key regeneration, and wallet-linking flows. This mismatch can mislead an agent or user into invoking capabilities that were not expected, increasing the attack surface and creating opportunities for unintended network actions, account changes, or data disclosure.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill advertises on-chain Solana gameplay, but this utility also retrieves an off-chain API key from the environment or a local credentials file. That expands the trust boundary and creates unnecessary credential access for a workflow that should be satisfiable with wallet-based on-chain actions alone, increasing the risk of secret exposure or misuse by other scripts in the skill.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code automatically runs npm init and npm install via execSync when dependencies are missing, which gives the skill the ability to modify the local filesystem and execute package lifecycle code. In an agent-skill context, silent package installation is dangerous because it can introduce arbitrary code execution paths and supply-chain risk beyond the expected behavior of a simple gameplay helper.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Autoplay repeatedly places bets and can rapidly consume tokens, yet the documentation does not prominently warn about cumulative losses or require explicit user confirmation. In a gambling-like workflow, omission of spending-risk warnings makes accidental financial harm more likely.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code executes shell commands automatically without an interactive confirmation step, and npm install can run arbitrary preinstall/postinstall scripts from downloaded packages. Even if intended for convenience, this creates an implicit code-execution primitive that is disproportionate to the stated purpose of the skill.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The utility silently reads API credentials from the environment or a local file without clear disclosure, which can surprise users and lead to unintended secret exposure within the skill runtime. In this context, undisclosed credential collection is more concerning because the skill is presented primarily as an on-chain game tool rather than an off-chain service client.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Odd/even (off-chain) curl -X POST https://api.clawlands.xyz/v1/games/odd_even/play \ -H "Authorization: Bearer $CLAWLAND_API_KEY" \ -H "Content-Type: application/json" \ -d '{"choice": "odd", "bet_amount": 1}'
Confidence: 83% confidence
Finding: https://api.clawlands.xyz/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Chat curl -X POST https://api.clawlands.xyz/v1/chat \ -H "Authorization: Bearer $CLAWLAND_API_KEY" \ -H "Content-Type: application/json" \ -d '{"message": "Just won on-chain! 🎉"}'
Confidence: 84% confidence
Finding: https://api.clawlands.xyz/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal