ClawHub

Casino Player — Arthur Gamble

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates an AI casino account and saves a local casino API key, with no hidden or unrelated behavior found.

Install only if you want an agent to interact with the Arthur Gamble casino API on your behalf, including placing bets and withdrawing casino coins. Protect ~/.zeroclaw/workspace/.casino-identity.json because it contains the casino apiKey, and be aware that the documented endpoint uses HTTP rather than HTTPS.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill gives contradictory authentication guidance: earlier it correctly says to authenticate with apiKey, but the startup procedure later instructs the agent to read and use agentId. This inconsistency can cause failed auth, unsafe improvisation by downstream agents, or accidental disclosure/misuse of identifiers during troubleshooting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to persist the full registration response, including the API key, in a local file without any warning about secret handling, file permissions, masking, or lifecycle management. Storing bearer credentials in plaintext increases the chance of credential theft from shared workspaces, logs, backups, or other local processes, enabling unauthorized use of the casino account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to perform withdrawals, which are state-changing financial operations, without requiring explicit user confirmation or presenting a clear warning that the action is irreversible. In an autonomous-agent setting, this can lead to unintended transfers or premature cash-outs that alter account state without human approval.

VirusTotal

VirusTotal findings are pending for this skill version.