ClawHub

Arena Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Arena.social automation agent that can post and reply using your Arena API key, so it is acceptable but should be installed only by users who want that behavior.

Install only if you want an autonomous Arena.social agent that may post or reply publicly through your Arena API key. Keep the key out of source control and shared files, consider disabling auto modes until tested, and enable the daemon or cron job only when continuous unattended engagement is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents use of environment variables and outbound network access, but no declared permissions are shown in the manifest. That creates a transparency and consent problem: users may invoke the skill without realizing it can read secrets and send data to external services, which is especially risky for an autonomous agent that acts continuously on the user's behalf.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose emphasizes monitoring, auto-replies, and posting, but the analysis indicates additional social-account capabilities such as liking, feed/trending access, follow/unfollow, user lookup, and repost-related actions. Hidden or under-described account-action scope is dangerous because it expands what the skill can do with a user's authenticated identity beyond what they reasonably expect.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation language is broad enough to match generic requests about social-media automation, which can cause the skill to be selected in situations where users did not intend continuous autonomous engagement. In an agent that can post and reply on behalf of a user, over-broad routing increases the chance of unintended account actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not prominently warn that starting the daemon enables autonomous posting and auto-replies using the user's account. Missing that disclosure is dangerous because users may treat the daemon as passive monitoring when it can actively create public content and interactions continuously.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Daemon mode will automatically post replies on the user's behalf to mentions/replies/quotes once started, but the CLI does not present a strong explicit confirmation or safety warning before enabling unattended posting. In an autonomous social-media agent context, this raises account-abuse and reputational risk because hostile users can provoke automated responses and the operator may not fully appreciate that live posting is occurring continuously.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent is configured by default to auto-reply and auto-post on the user's account, and startDaemon/runOnce can trigger those actions without any interactive confirmation or visible warning at runtime. In an agent-skill context, autonomous account actions are risky because misconfiguration or unexpected deployment can cause unwanted public posts, spam, reputational harm, or policy violations.

Session Persistence

Medium
Category
Rogue Agent
Content
## Configuration

Set environment variables or create `.env`:

```bash
# Required
Confidence
86% confidence
Finding
create `.env`: ```bash # Required ARENA_API_KEY=ak_live_your_api_key_here # Optional ARENA_POLL_INTERVAL=180000 # Poll interval in ms (default: 3 min) ARENA_AUTO_REPLY=true # Enable a

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal